Analysis
-
max time kernel
600s -
max time network
453s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25-04-2024 05:23
General
-
Target
https://cdn.discordapp.com/attachments/1230856531810193408/1232808107566956574/OnlyFanLeaked_18.zip?ex=662acd85&is=66297c05&hm=26b52ce728716f1320804a51ed9aa19bea94f1b53eb5633ce0620db99ed5e31e&1
Malware Config
Extracted
lumma
https://handbreeadretwaiw.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 56 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1230856531810193408/1232808107566956574/OnlyFanLeaked_18.zip?ex=662acd85&is=66297c05&hm=26b52ce728716f1320804a51ed9aa19bea94f1b53eb5633ce0620db99ed5e31e&11⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd17de46f8,0x7ffd17de4708,0x7ffd17de47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,6294584888678731282,5167131568026071898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\OnlyFanLeaked_18\" -spe -an -ai#7zMap18746:94:7zEvent127941⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Windows\system32\pcwrun.exeC:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe" CompatTab1⤵
-
C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW7CBE.xml /skip TRUE2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe5⤵
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwkmtf5i\kwkmtf5i.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8327.tmp" "c:\Users\Admin\AppData\Local\Temp\kwkmtf5i\CSCE22054CEA2944CDAAC24BEF7A0C4FC5C.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\abtmp2kx\abtmp2kx.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8401.tmp" "c:\Users\Admin\AppData\Local\Temp\abtmp2kx\CSC20F2E6E257F64841B5C77DEA89379C.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sea2koqs\sea2koqs.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87F9.tmp" "c:\Users\Admin\AppData\Local\Temp\sea2koqs\CSC78302AC8EACC4D91825891ED1A9B1369.TMP"3⤵
-
C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024042505.000\PCW.debugreport.xmlFilesize
3KB
MD516b7a517b72cac4ef0aed3bb90752c48
SHA1bad94e321a70188f723fbf71aa376536c69ef96c
SHA256c079f07ab0fbc6ee69f085548664da3a1aa3b0cfeb4f97ca15d3ed947ffe3922
SHA5120d233a5af3c3585d398b7651a88403404cbd1b00c73b16d561166363adc2396e7ea639a763fc80e85c05910c67ec4eb7c4e411e49ac803b0e9e4dd2bba5bf5d2
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024042505.000\results.xslFilesize
47KB
MD5310e1da2344ba6ca96666fb639840ea9
SHA1e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA25667401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA51262ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e2f0fe48e7ee1aad1c24db5c01c354a
SHA15bfeb862e107dd290d87385dc9369bd7a1006b36
SHA256f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9
SHA512140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57e0880992c640aca08737893588a0010
SHA16ceec5cb125a52751de8aeda4bab7112f68ae0fe
SHA2568649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2
SHA51252bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD592098dd356a80d474c7bddac34e4265b
SHA12a2e179179d618f6ee368c97398c7389780b44c7
SHA256e6c0c9fa8f0bf647ca4ea04188b59359b99a9dcee67e9c48d6903016597ba341
SHA51277b98830f37aac6656cfa03d2e7d38ec4629dc5c5066ce95cf8208e199861f6400b2aaa63cd9e6fb53669e3a84c6d450c1384dbd57a91f7114e590b6f7781540
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d9ea395c95558e5804a8797341b1514d
SHA171498bb138e82b03ed9fbfc4e72e1b5252f7c596
SHA2568fcf636b84635cf02317ad6bfeef58aa22f51a2daf39329e641400a45e364429
SHA512e39c45e5109965f0e4ee309fe6d7d347a772165e1e6965801683144c19607e9724c3d7a18edc5956402271212f4cfb5c8a2a0e67b19a07693ccf15f4f4d8d2aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e21ba4eebc43b551b57a11f759ab9285
SHA1cadc45622fdb26d05e5031645ed97dd5d4c2ca43
SHA2566abc2b1fa8fdf112be47497c51c69a4b15896044ee6b934c82044deb494599a8
SHA51209abc14e8e638a4b492d4e106fdca6fa19ee2bd5ff302678b5c2898ec8ca08e7d1f57180ed78b43a14b37112484c311471ceb091f2e11624c90db4100f07dc78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5cf52ffc6ee5974e15e8f50e9000b8ea0
SHA14957b92faadd9473caee4235d7d84b1c0c3c7464
SHA256292978035a5b0bea143b114488241b70e14545b9cb5d99a7625611e87d4cc70f
SHA51298e000e10b6d70b6b6183936fafad4ef6e504fa857779a4b58a4abfcbbfc09fd358b79bca02c798ad11176de51af63d25f06d3dfacd4af361e0799dc10afd1dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5702cf2a59b7f9233c30982fca33685ca
SHA19f6998687ff8910f9cc35a87a63b6ecbf7ad6ad7
SHA256d0501a479a300d9e795a64d4d974265e2a627fa36d69ee02ddbc477fba363dac
SHA51234af398c48621f907b5456fc63b7fffbfbe181623df444c2d0acbcc790e4f44a52e75d18ded06d9780c8d3019d6cd5ccea907421202cdbdcc724ae936f5cb13e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD564c6ca6c82823ee9c4071dff291c132b
SHA1fcc81272343c7ddd0b8576d4ade9e314baf58af3
SHA25683bbe8fef440a27a53959b5dbd930bfbaba90221ed43aecc6bb746e3eb92e0ac
SHA5128ffa016a595858a46624a28428304904ae5c799f6a343c8d17afc6c33e15464f2730db696992e818d95d92c443f77146e80684e852d7a14520116b2dcf69d9da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5fbb5a531e64529de958371368856f38f
SHA106816ad45f0a6cf51b5e5502f96bd51f52b07641
SHA2569555d01a3656dc424fb40b11782212391e2b4c9adfb2bf59642205089839d7e0
SHA5123f04d4790584d6eadf9cc32b162ed2640eed6419a43a987824f1eb256d3e7d4ee869deb043177e69dd00f8e98a8f25bcd7e7e030d91a55eb9beb34eeb2e0aea0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD51ebe07abff1156e19e49fbdce5058d8e
SHA1647214240312c1e83cdb9972fd107ffc3acf9218
SHA256626b88e568fdadeed3a4f1a63e5c59279666b6dabd703434b92a303a48e5dea5
SHA5123cd28b64fee80ccd8727a7dc7b3755a92ca07ed5657cb28d6b679ee99f4a56a2f6f3a9ae72d5c6771e86949022d83ab100a78401a2a8157da27bd54323bab58e
-
C:\Users\Admin\AppData\Local\Temp\PCW7CBE.xmlFilesize
762B
MD5b50d757b8aac04d2e07fefd5aeb01898
SHA15054d3ab860f48a152c9f8cd1bfb10c3bf6529c3
SHA256b62c2d4a59192cd1e9f642dfdae6caa8b5e30abdfb2890d944e5e59a9cdec476
SHA512929a59377dab2b2832fad3007f5b62504890a6cbbf3461b483e467988db0d400143b876c3ed766505bed7b29918ab561ec06cbfeb900877b37bfec021824e1d3
-
C:\Users\Admin\AppData\Local\Temp\RES8327.tmpFilesize
1KB
MD56b9854dfdc471a946e794fa74ee4bb4c
SHA1d02a83979d2b850f6cfd936d5adc94ecbfe3b13f
SHA2565af22f70e0747ed0be16c2a2abb802612096c6ffa2fa46ebf270fd21c7aa843a
SHA5121c83ff68f7acb3b0872694619be84c8b73f4f5041a506298663ad59e9b3902e573f355422247d74805170016d55388431e130622b821d0161006221f3c6f7a31
-
C:\Users\Admin\AppData\Local\Temp\RES8401.tmpFilesize
1KB
MD5ef51b6947edcff740285d07686eda579
SHA1165e996d86f9caef32f850903afdc6e413995170
SHA256e7552ccba1c63fbe90d1cf4d0a36d236cb6cc70bf9de2bafa851b76461e4f2d6
SHA512d4c77bb9a5fa11dc3cae86491daaf126e29d62b8fa59906f442960f136984cc9f568453a1af66ecaf2a2438692cbe8517af8dc054e8231eb8e1d813b86ae7f5e
-
C:\Users\Admin\AppData\Local\Temp\RES87F9.tmpFilesize
1KB
MD53a1b7e60d6bcb8ee260a7c3740732289
SHA1b40a8a221a106bf5014328f8e18cebf98d325271
SHA256b26bea6b33f2853fe076187206e6be53901bf97b81c4d2530c44358e72604740
SHA51230d6616f57fec09e436b739f00cb63da08b8bff2fcdce9c147ff8ca10343371bf7c67e76d02262d706a058917ed2c66a6256dace094de7f3fc59995a73817718
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23hzyoau.hwg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\abtmp2kx\abtmp2kx.dllFilesize
3KB
MD5e891fc5effc33cbff58a84cfa76e0af5
SHA17c7b0895fcdfaec2231d908aeea373d0ab4d319c
SHA2561012df45785b523575f8162060d9d8af64f379ea0e262b9d5a5b8486074bd7b3
SHA512f9d46877d32b952cd30898e0b283d6a64c8aad90756fbee71fbc2d922257ba5a5a805b3c117c1f8bfdf660103ca14af71237ddc0e0e3585825cf61181aa2888c
-
C:\Users\Admin\AppData\Local\Temp\kwkmtf5i\kwkmtf5i.dllFilesize
5KB
MD5b64c138944fc04ce19612653b45ea57d
SHA1b46767ffb7acb1086be504fcedcc98ba815c5dc2
SHA2562d7cd2a623169fedd4f94adf4da1aade9714b07c601842e94a9d6de3bd8d0e06
SHA512f6ff66cd2c604d14851ea51536b846f8cbdbc0adfd491b587ca9dd4c21ae358aafa90b49fa3085e34e20eb8360924e552a8f964c8ebeb545002c435515294395
-
C:\Users\Admin\AppData\Local\Temp\sea2koqs\sea2koqs.dllFilesize
9KB
MD5838309d8f5e9fbd137ddff417c3e7583
SHA1a254973af5b526ff0268bfe4054f0fd1b0c123e3
SHA256afb220d89ce946af7ef5cde7d84306303070b5233f5e4fdded4e573e1da95db1
SHA512c831fedbe974d02723792de204feceb7442e890b8c8da4dacf9cf70a50f57eacdc39b8842d6c6a50e9a9c85f72b46caf4739b9781029e2db0347c4194619e13f
-
C:\Users\Admin\Downloads\OnlyFanLeaked_18.zipFilesize
108.6MB
MD5d8075a9f54507e51f70df9e514adca7a
SHA127826cfa5ab97b670236400841f64bf868e53136
SHA2567afd7a93d5366772301fb1ed8b0f7130cdc12edd9967bb61c5b3dd48192c164d
SHA512c0592cc6453df34f23958ce1ca2c6604b70702fae289eaccf3550567f8b4f5c09d610cba33932cb95781aac7f4213d621d0b4b68248541f64f029582809a6093
-
C:\Users\Admin\Downloads\OnlyFanLeaked_18\OnlyFanLeaked 18+.exeFilesize
32.3MB
MD5ddf18aaadadec122fdf6f800876a7dc2
SHA149b023e63a98c88dbd2187318be8f42a91d6c16b
SHA2569d5b80f338a71eb322edc679cb0756415672c2263a68f2dd28ea2b6734938611
SHA512f9c26e5df8373689fc1c8c2fead823ac73fa18c36c4c4b927f1c596ead91c3e6f67aa0999851b2933caa20a26468713dec6e7411d1d0f9cb1bb1b2ba07a799d8
-
C:\Windows\TEMP\SDIAG_003e71b1-306f-4e94-b6b1-a8964afe2f07\RS_ProgramCompatibilityWizard.ps1Filesize
49KB
MD5edf1259cd24332f49b86454ba6f01eab
SHA17f5aa05727b89955b692014c2000ed516f65d81e
SHA256ab41c00808adad9cb3d76405a9e0aee99fb6e654a8bf38df5abd0d161716dc27
SHA512a6762849fedd98f274ca32eb14ec918fdbe278a332fda170ed6d63d4c86161f2208612eb180105f238893a2d2b107228a3e7b12e75e55fde96609c69c896eba0
-
C:\Windows\TEMP\SDIAG_003e71b1-306f-4e94-b6b1-a8964afe2f07\TS_ProgramCompatibilityWizard.ps1Filesize
16KB
MD5925f0b68b4de450cabe825365a43a05b
SHA1b6c57383a9bd732db7234d1bb34fd75d06e1fb72
SHA2565b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025
SHA512012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af
-
C:\Windows\TEMP\SDIAG_003e71b1-306f-4e94-b6b1-a8964afe2f07\en-US\CL_LocalizationData.psd1Filesize
6KB
MD52c81a148f8e851ce008686f96e5bf911
SHA1272289728564c9af2c2bd8974693a099beb354ad
SHA2561a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437
SHA512409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb
-
C:\Windows\Temp\SDIAG_003e71b1-306f-4e94-b6b1-a8964afe2f07\DiagPackage.dllFilesize
65KB
MD579134a74dd0f019af67d9498192f5652
SHA190235b521e92e600d189d75f7f733c4bda02c027
SHA2569d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e
SHA5121627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3
-
C:\Windows\Temp\SDIAG_003e71b1-306f-4e94-b6b1-a8964afe2f07\en-US\DiagPackage.dll.muiFilesize
10KB
MD5d7309f9b759ccb83b676420b4bde0182
SHA1641ad24a420e2774a75168aaf1e990fca240e348
SHA25651d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f
SHA5127284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d
-
\??\c:\Users\Admin\AppData\Local\Temp\abtmp2kx\CSC20F2E6E257F64841B5C77DEA89379C.TMPFilesize
652B
MD52ce8d23701feb08c61941adecf230988
SHA1c5ac4c48ad291bab095ec84fe45d810610b1633f
SHA2566646cc700d2a73a9631eb97a091abdb66f1acaf13ce3fa6fdc1bb681fb29e91b
SHA512a4f47fdaa2c7dd219a32347acc1ab73a1a93dee2719ff5fa7ee3a0f5cb318f53c26109290dc120ed539108b62364fce77a6e6aa879d9d43ac4d393f53b3677e4
-
\??\c:\Users\Admin\AppData\Local\Temp\abtmp2kx\abtmp2kx.0.csFilesize
791B
MD53880de647b10555a534f34d5071fe461
SHA138b108ee6ea0f177b5dd52343e2ed74ca6134ca1
SHA256f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e
SHA5122bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969
-
\??\c:\Users\Admin\AppData\Local\Temp\abtmp2kx\abtmp2kx.cmdlineFilesize
356B
MD5e3068c6ebb742c69f147a4ca957389c9
SHA1cb815d586d77cdcb5f00d2efe82181903a4b4812
SHA25638d75f10bd01f7742774554239707c637110f5cfa8577d107c8bc454e7ab0970
SHA512f38e9acbc2812a63d027e7527eb6d1aba988a1f96568187e10ebe0fb8d702922f3a4fbdcd6dbc28a23fd4aebc240b3715656dfcd3d10bbba8bced0298e7efdd4
-
\??\c:\Users\Admin\AppData\Local\Temp\kwkmtf5i\CSCE22054CEA2944CDAAC24BEF7A0C4FC5C.TMPFilesize
652B
MD5013174f17b30b7addde10f7a63d0c634
SHA14656b9b217c646e9213c8f9d6bd5391ce69e49ce
SHA2560407d3e5e23ac9f515b18b52fe5758424fc7032c2cf5aef1ab596df219b362f6
SHA512da7ce53a04b3da16af76eb32198d692b391d39365b4722c7e51b03f68f46214027ba27d92ceefdccfe367c903fa344b1c33629117de6250a6c47a0f16a664a28
-
\??\c:\Users\Admin\AppData\Local\Temp\kwkmtf5i\kwkmtf5i.0.csFilesize
5KB
MD5fc2e5c90a6cb21475ea3d4254457d366
SHA168f9e628a26eb033f1ee5b7e38d440cfd598c85d
SHA25658fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77
SHA512c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6
-
\??\c:\Users\Admin\AppData\Local\Temp\kwkmtf5i\kwkmtf5i.cmdlineFilesize
356B
MD5d948c436f5b4c0c2fe7070f8878b0a64
SHA1e94e9c39e99d263b330e72e58cd69707b9aa20ba
SHA2569ed60a9a245f76597701558c92908c85d50bd799164afd8ac065b3fc64351d39
SHA512bd6868ae8aee5d11d86a50aebce51501ce952f2f814d5014726a37d60d92042d7a71d6616b81a2e7caf55f42e41a4b23b49b185426bac3a1b8295587ef39bbb9
-
\??\c:\Users\Admin\AppData\Local\Temp\sea2koqs\CSC78302AC8EACC4D91825891ED1A9B1369.TMPFilesize
652B
MD59cffefc65e8e43cfa6836f3130e086c0
SHA1af8fffd40d0e90218492b6051d829e90d2b4f81a
SHA25644b622633337b9782284eb87f3ddd47059d5c829fa0750df3f51fc63472f26f6
SHA512b92b830fa8fae1d9d02c02b401ac4477f53237c716b02d1df3965e090af523d49f028bd47d3065e51ff0b55c2e179e2243a31b2d7bc619dd662b6a78d2d6dc3a
-
\??\c:\Users\Admin\AppData\Local\Temp\sea2koqs\sea2koqs.0.csFilesize
11KB
MD5acf1a7b8aab4c6efda423d4842a10a85
SHA1ac55b84b81527ad1224a85640c5a2555b19b685d
SHA256af0a7036a5f650570990f2d562a7c7636b6eaa54f53b6ce3f43aaa070188dafa
SHA51222e5a8b633a0189e836adb0c34c84b5029e8069e2f0a77803da91ce2b0da14b8fa231ddd1f1b164992d534b8a4ccc51c270e8ff2ff3f2f34536432b4abfc04e5
-
\??\c:\Users\Admin\AppData\Local\Temp\sea2koqs\sea2koqs.cmdlineFilesize
356B
MD5efc1c7b70c11e6a35bbb4494ef98b246
SHA1f18837138669fef328c2910f8bc884505be1243d
SHA256166465ad352cc7e0453b62e1c1495843de79336167563a33c79e07ee58a92a81
SHA51251cd3dc5602775931268471082951a8a6dbe9b89faacc5df1e85c88c81302ba3a04edc282158a6a760d516d8e58909d3f6e03f06f793e96b7bbe6b44003cb7a0
-
\??\pipe\LOCAL\crashpad_4404_XUNAJCIPOHBDHMENMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-369-0x00007FF6C49F0000-0x00007FF6C6AF7000-memory.dmpFilesize
33.0MB
-
memory/1028-343-0x0000028CC6550000-0x0000028CC6551000-memory.dmpFilesize
4KB
-
memory/1028-328-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-346-0x0000028CC6490000-0x0000028CC6491000-memory.dmpFilesize
4KB
-
memory/1028-358-0x0000028CC6690000-0x0000028CC6691000-memory.dmpFilesize
4KB
-
memory/1028-360-0x0000028CC66A0000-0x0000028CC66A1000-memory.dmpFilesize
4KB
-
memory/1028-361-0x0000028CC66A0000-0x0000028CC66A1000-memory.dmpFilesize
4KB
-
memory/1028-362-0x0000028CC67B0000-0x0000028CC67B1000-memory.dmpFilesize
4KB
-
memory/1028-338-0x0000028CC6550000-0x0000028CC6551000-memory.dmpFilesize
4KB
-
memory/1028-294-0x0000028CBE240000-0x0000028CBE250000-memory.dmpFilesize
64KB
-
memory/1028-337-0x0000028CC6560000-0x0000028CC6561000-memory.dmpFilesize
4KB
-
memory/1028-336-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-335-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-334-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-310-0x0000028CBE340000-0x0000028CBE350000-memory.dmpFilesize
64KB
-
memory/1028-326-0x0000028CC6910000-0x0000028CC6911000-memory.dmpFilesize
4KB
-
memory/1028-327-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-333-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-332-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-331-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-330-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-329-0x0000028CC6930000-0x0000028CC6931000-memory.dmpFilesize
4KB
-
memory/1028-340-0x0000028CC6560000-0x0000028CC6561000-memory.dmpFilesize
4KB
-
memory/1084-628-0x00000000012D0000-0x000000000131E000-memory.dmpFilesize
312KB
-
memory/2804-374-0x0000000000E00000-0x0000000000E4E000-memory.dmpFilesize
312KB
-
memory/5008-163-0x0000000000810000-0x000000000085E000-memory.dmpFilesize
312KB
-
memory/5008-162-0x0000000000810000-0x000000000085E000-memory.dmpFilesize
312KB
-
memory/5008-159-0x0000000000810000-0x000000000085E000-memory.dmpFilesize
312KB
-
memory/5212-519-0x000001D7C0E80000-0x000001D7C0E90000-memory.dmpFilesize
64KB
-
memory/5212-534-0x000001D7C1C80000-0x000001D7C1C88000-memory.dmpFilesize
32KB
-
memory/5212-548-0x000001D7C1CC0000-0x000001D7C1CC8000-memory.dmpFilesize
32KB
-
memory/5212-569-0x000001D7C0E80000-0x000001D7C0E90000-memory.dmpFilesize
64KB
-
memory/5212-566-0x00007FFD08520000-0x00007FFD08FE1000-memory.dmpFilesize
10.8MB
-
memory/5212-518-0x000001D7C1C90000-0x000001D7C1CB2000-memory.dmpFilesize
136KB
-
memory/5212-517-0x00007FFD08520000-0x00007FFD08FE1000-memory.dmpFilesize
10.8MB
-
memory/5212-608-0x00007FFD08520000-0x00007FFD08FE1000-memory.dmpFilesize
10.8MB
-
memory/5212-563-0x000001D7C1F20000-0x000001D7C1F28000-memory.dmpFilesize
32KB
-
memory/5532-160-0x00007FF6C49F0000-0x00007FF6C6AF7000-memory.dmpFilesize
33.0MB
-
memory/5532-148-0x00007FF6C49F0000-0x00007FF6C6AF7000-memory.dmpFilesize
33.0MB
-
memory/5848-289-0x0000000001000000-0x000000000104E000-memory.dmpFilesize
312KB
-
memory/5848-292-0x0000000001000000-0x000000000104E000-memory.dmpFilesize
312KB
-
memory/5848-293-0x0000000001000000-0x000000000104E000-memory.dmpFilesize
312KB
-
memory/5960-291-0x00007FF6C49F0000-0x00007FF6C6AF7000-memory.dmpFilesize
33.0MB
-
memory/5960-288-0x00007FF6C49F0000-0x00007FF6C6AF7000-memory.dmpFilesize
33.0MB