Analysis

  • max time kernel
    98s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 10:42

General

  • Target

    ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_.zip

  • Size

    9.6MB

  • MD5

    118b664cffc151b50257f9b058892e75

  • SHA1

    40bb786344e6eadbd76721e9b84011d16055e825

  • SHA256

    49643b1f483f32112775c305890180d4d11e12ff0a5a3202bfc1b83bc4b4c65f

  • SHA512

    0e3e4b1a9258ae1540bcd84998cd9bf23b2c0f8c54bd3dffd44480f5c65d6a2f34c942f6ae46ce966e96a2dd463e3223cb4e67df5bf69eb77de2c06dd931b606

  • SSDEEP

    196608:fi96MPeuYv5wYPH42b48sm/C+1b9EOH9LJQO+++O+yABO/AxT:2dRWH4I4XAFb9Lh+++O+xeAJ

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://employeedscratshj.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_.zip
    1⤵
      PID:1988
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1240
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_ㅤ_.zip"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1864
      • C:\Users\Admin\Desktop\ㅤ\S o l a r a X.exe
        "C:\Users\Admin\Desktop\ㅤ\S o l a r a X.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3716
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3940
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3784
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            3⤵
              PID:2988
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4032
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              3⤵
                PID:2084
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 122774
                3⤵
                  PID:4712
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "MasBathroomsCompoundInjection" Participants
                  3⤵
                    PID:4044
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Flooring + Textiles + Optical + Attractions + Assumption + Typical + Miracle 122774\M
                    3⤵
                      PID:736
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\122774\Locking.pif
                      122774\Locking.pif 122774\M
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:1752
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      3⤵
                      • Runs ping.exe
                      PID:2232
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4600
                  • C:\Users\Admin\Desktop\ㅤ\S o l a r a X.exe
                    "S o l a r a X.exe"
                    2⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1128
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1456
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist
                        4⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4864
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /I "wrsa.exe opssvc.exe"
                        4⤵
                          PID:884
                        • C:\Windows\SysWOW64\tasklist.exe
                          tasklist
                          4⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4248
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                          4⤵
                            PID:4412
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c md 122774
                            4⤵
                              PID:1396
                            • C:\Windows\SysWOW64\findstr.exe
                              findstr /V "MasBathroomsCompoundInjection" Participants
                              4⤵
                                PID:4336
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c copy /b Flooring + Textiles + Optical + Attractions + Assumption + Typical + Miracle 122774\M
                                4⤵
                                  PID:5004
                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\122774\Locking.pif
                                  122774\Locking.pif 122774\M
                                  4⤵
                                    PID:4776
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping -n 5 127.0.0.1
                                    4⤵
                                    • Runs ping.exe
                                    PID:220
                              • C:\Users\Admin\Desktop\ㅤ\S o l a r a X.exe
                                "S o l a r a X.exe"
                                2⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                PID:4704
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
                                  3⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4532
                                  • C:\Windows\SysWOW64\tasklist.exe
                                    tasklist
                                    4⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1404
                                  • C:\Windows\SysWOW64\findstr.exe
                                    findstr /I "wrsa.exe opssvc.exe"
                                    4⤵
                                      PID:3624
                                    • C:\Windows\SysWOW64\tasklist.exe
                                      tasklist
                                      4⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:620
                                    • C:\Windows\SysWOW64\findstr.exe
                                      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                                      4⤵
                                        PID:2952
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c md 122774
                                        4⤵
                                          PID:388
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c copy /b Flooring + Textiles + Optical + Attractions + Assumption + Typical + Miracle 122774\M
                                          4⤵
                                            PID:4424
                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\122774\Locking.pif
                                            122774\Locking.pif 122774\M
                                            4⤵
                                              PID:3904
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping -n 5 127.0.0.1
                                              4⤵
                                              • Runs ping.exe
                                              PID:4560

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\122774\Locking.pif

                                        Filesize

                                        915KB

                                        MD5

                                        b06e67f9767e5023892d9698703ad098

                                        SHA1

                                        acc07666f4c1d4461d3e1c263cf6a194a8dd1544

                                        SHA256

                                        8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

                                        SHA512

                                        7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\122774\Locking.pif

                                        Filesize

                                        17KB

                                        MD5

                                        7e30d4209c41b9fccb2488efd9a6684a

                                        SHA1

                                        fcc7343a7179bd8c90683f6e56e307a86493d248

                                        SHA256

                                        06669a0b9ff825cc74fe8c3c170cc222605155da7e62994460e0bbe7ad43edff

                                        SHA512

                                        b950948ed4655ba61f2b362a5680a747294b67bdc4b6009da68b8e1266949a09e73e7879d74f967ca48ff7622c629f35418cce08b2f511b5cc5a4e25540c6358

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\122774\M

                                        Filesize

                                        485KB

                                        MD5

                                        76975cddaca4d63b8803425c2e415850

                                        SHA1

                                        88824f191c2b4270de803acc3e3673c1b311155e

                                        SHA256

                                        f0c0f83820d816e912b156f61eec20a6394da3fcc25b594e234d188441f38101

                                        SHA512

                                        8332e3c33c00d3537511413513d6ac0f1277e8e66fa20eb9977a82528a627c1d5429b12e506b60f8bf5d733b1d398e0cf1b8d5b3a6413e9233872048389cb0da

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alot

                                        Filesize

                                        65KB

                                        MD5

                                        a6157f70265f55e4257cbe6640be26d6

                                        SHA1

                                        57fc3b1f96934b3ad9abf5a57aa1328923e05549

                                        SHA256

                                        e0b48cbea6ab0d2b186ccf4883baa0d2289a59dd1dbaf097ac48c08c43395b2c

                                        SHA512

                                        ec7da2e4ff9c3cecd6b3e2de879b39703e04d2e32be0b857e7c3f78ce9f676f2a374b6e5c52955a64a83e5f6fd3a0a73611e236223fec5ffaa00f7c0263a6e92

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Assumption

                                        Filesize

                                        42KB

                                        MD5

                                        059d33906d3973774a934f9d24762906

                                        SHA1

                                        b6279ec1599f0906fb99414a4b9e07e4a575244f

                                        SHA256

                                        173b57536541a030e061fea2b4f96c5cf683ea01682f4074eed70ca7470eee57

                                        SHA512

                                        db204e73ca073f396c1c82e3b02b70a6f3df9f0d3d9d2114f47affb52385621988a590c6b9a8e20edd71fbe29e5917003ee6b66b351f244aef7c896e7aadf704

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Attractions

                                        Filesize

                                        69KB

                                        MD5

                                        b1a1ae7931d0b39c2b240e733bcd966f

                                        SHA1

                                        d74f07ee4ca578adaf00b46447bbebe0b1fcf007

                                        SHA256

                                        bec1eb63f1533efc0f6db1236c878c71369eaecf008d0ac8ca005e5401a97720

                                        SHA512

                                        9737db06dcc142bcf106c1dd64d27d38060c83798a97c6167b6d551fcaa98bc3bef5f2e2365c9c7861389956e353e35f54e81058829c2ba35fbd87d198adbf61

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bucks

                                        Filesize

                                        39KB

                                        MD5

                                        61614eff1fc654b21484973b197ab410

                                        SHA1

                                        05050687e8d23e8d7d3ae0e33ba9b2543dbf1724

                                        SHA256

                                        3e4988cf4e7ce261838b8d647e53e1b69e415c30f6057c74b8a46c8226c4ea6f

                                        SHA512

                                        99e133e2abd609b719a8a49986ea497ae5777a80b5bc8b750343f948dd1008bf456d3daddd88e2734aaf6a7150568f189748e66c6b1d19356a6b88a8fbf76d18

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chad

                                        Filesize

                                        13KB

                                        MD5

                                        f2b65916fd551111d1ba0c2be2b3e8e7

                                        SHA1

                                        a3974955a379a404608b29fb9f1273daebae0208

                                        SHA256

                                        e80e71cd33accae1a5d53859eb3395434939d843f1d32210cd4c10449f721c68

                                        SHA512

                                        660dee0331d313371a71a8f9f284dc0000270a9aa2fe8130903d569901dc082ac53d1a12f1ad1d139cbcc04203b74615f63d89d3a276d8b8b0a25c772dc9ba0f

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consecutive

                                        Filesize

                                        15KB

                                        MD5

                                        57f8159b6d44cda7f86a7018baf9b141

                                        SHA1

                                        e10138153a5215a07603f40dff54b74d19d7a7f6

                                        SHA256

                                        427c3f3dc887b7d7fbd0992660574f7363ba7882f7ae460cd30bfc541ec22255

                                        SHA512

                                        db3dbc7bced8f01842a9070d74cbe99de1cde47fcd91ffa59bbc6c860e954bf457d83b55327e39ebf044fe93fda9dc23f7bf4221c46c1dee1c5dd510e61393ec

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Creature

                                        Filesize

                                        31KB

                                        MD5

                                        ab09b0e1a1da138d204a18dfa8bd854a

                                        SHA1

                                        5e30688a49bae87f3a8fe37bda2f073bf0e8d226

                                        SHA256

                                        df3938a733e7980e62a77b005e0306952009e7b345cd919eeffd303f3cf5e904

                                        SHA512

                                        92834afaedd39de3cdd976fda71ddf5dbd8c1be453a07f8e7783c9a394f32b4fd434c65c80851d0d2f90c574080472987ef75925a60e6131899ee62b8e4f7c6d

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cruises

                                        Filesize

                                        5KB

                                        MD5

                                        933b41bdad53039ea17d5d2ab8b4e84e

                                        SHA1

                                        feab644b35e5b537af4e383ba46b83910be99fe2

                                        SHA256

                                        9f33dfefdbc883e099425bf4ea4cb184770755404ea9bb9c7a96e963e1d404b0

                                        SHA512

                                        38f4726d4460b8043c8b34bc00321160b922c06a67d5590730a56d0dde945bdb9cdb63ee4a22c94a82e5f69b7b7b8670b9de2f684f7ba04151871103cbdadbcb

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Double

                                        Filesize

                                        42KB

                                        MD5

                                        50fa4e54f9135d3c410c70042af6f527

                                        SHA1

                                        005cda79cb39d057fd6cf5bd7f022dfc5b40c8a1

                                        SHA256

                                        c5fde7a021f736fae0480d1f8a75f8e89257c0552c99d7cebc09f83801f134d0

                                        SHA512

                                        0cf88524f1ceb1c4972e28dbcc3cb1aea8690405c0ab969d50c3a1e3d357bfd2c9046fa58399f3ad156a705a0662ca751976d5d1eddbd9fb0523f37d5fe03b24

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emotions

                                        Filesize

                                        12KB

                                        MD5

                                        49e438956e29e87cfb22f7274cf2c6fb

                                        SHA1

                                        026c7a05ce42f00c6aea7e84ddc8cc5d1fab3a1c

                                        SHA256

                                        ae0ea7678feec00efa94c1c87d5a4e9a54df0ca086699fd9128f08cf550f7d8a

                                        SHA512

                                        2f8616af0c46eed9861b599d9ed5a9d8b50c0839f9db574487de72f53e59ff1c504178145f8faf069aec4ed5887a2fb43ff083b026e236b970125867420c4005

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Favourites

                                        Filesize

                                        30KB

                                        MD5

                                        10a617486ec3a227ff8b101d600edb90

                                        SHA1

                                        f758c2c47a6435bfb33c7305a6faabdef50672c5

                                        SHA256

                                        367455ff98b55c0eb209975f1fbe55373b5d4a3ce076b802e3b0a088d069077c

                                        SHA512

                                        87c7bacbcabd46dfd7337dcdea52916075549bba6b4eb7f54fe76fb4ade0e950004fbc9cda21663806f225d8c09e2e60d9086f7a5240f60c30c0672aa288802f

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fighter

                                        Filesize

                                        25KB

                                        MD5

                                        92725ea4754d417dcbad702ca121da4c

                                        SHA1

                                        5e6d18e3d49f3a45aad0de354ebadab069e0ba95

                                        SHA256

                                        f89bf81db57d2543ce9d1db36316698f681ed47771dae95fce6ddb02347cf935

                                        SHA512

                                        096eec094f4b8608a6370ca7651140e3b684c57624262e3ecdcbd8f3211d47fa46c863b7febb5bd84e268f9f8a3207a36218b0c8a1845352b6fcbea3783a3d6c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flooring

                                        Filesize

                                        128KB

                                        MD5

                                        7f022d2ff17badddddbc9c80afe63118

                                        SHA1

                                        53a6b3bda53666bff750557fb6c99b521f655e90

                                        SHA256

                                        9bb32b10c99717e5fa7e1a63fc0c8adca18bf9ff2e2d1cae7dbbbb3a3fe4d099

                                        SHA512

                                        bf46b97aa3adcea17429ccc89a175bed6c3953cc89e67be939fdca4b348f34f1960f62775e9ee5ac5907cd329ba76eb81243fca7d2669ad0054f3a0941b4637f

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Genre

                                        Filesize

                                        17KB

                                        MD5

                                        ae8b395af144e66c748bbbc9555db15c

                                        SHA1

                                        03afb0b40f68d4147265ee3b77b8caeb55297b47

                                        SHA256

                                        c35b7e43289580e88b96bf6b3d4a13b2a5c1b553b70e47034797e2670796dc04

                                        SHA512

                                        d82188f0b1a3a8b638af19ca64a414bf2febfb3484ac3dcfbd9004d22c6aff48f961ca3545a94033b6cdd4865873fe007f235d3114dc64043d3ce6007209cf66

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hayes

                                        Filesize

                                        15KB

                                        MD5

                                        6390d53017ac3e518333290dd9c4154e

                                        SHA1

                                        f41c64e4203e89603a3e985fa7d52d673e58ea65

                                        SHA256

                                        4413c021bebba61ad24324efa70f77904b6f7393056bef2edabaaf353ebbebc9

                                        SHA512

                                        271e0f3dcea1b0a62b2344e6c763329b83fc642492bafa149d2daa399c1f25e867018e33d42db73110663e6bb8310fe1301c2cc15750d98bb10a19313bfb9f34

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Instances

                                        Filesize

                                        12KB

                                        MD5

                                        06779209eacb95c6839caf47cac75146

                                        SHA1

                                        f86689c0b76115674807b57ea4fba5fa61a5f278

                                        SHA256

                                        b237792368ec3ce7df3fa23f86080427d4f45ff2d659263cc16d3519ffc089bb

                                        SHA512

                                        a5dd02a3ae74ff70b3473ead19816f9b9233f017e07bfde982040e29f72738f42c3b35d8ae54788ae6423959aaf0c51bd050f91acaf262b9b55073fd34712499

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kde

                                        Filesize

                                        57KB

                                        MD5

                                        38dbc4be6aad752e017390aae554778f

                                        SHA1

                                        51ea2bae226686c40246bc62f5cf6780f83ac3fb

                                        SHA256

                                        9e5779e6ea88fcf1ded100477743cc4d86495711771598184383721faac1e839

                                        SHA512

                                        e20c15ea80eb394c7604ab1addb1e2893667c7e2c6c56959ad2086bb0201a4f2f3e70ccef023ac5390eeb993d28681aae60333cf0f0d4a65e9ce94fb3ec70b91

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ld

                                        Filesize

                                        50KB

                                        MD5

                                        af900dc7de6cf5f56a06513bf3331445

                                        SHA1

                                        992fbe2d08b656c5f7197fcf2a820143e60f9a95

                                        SHA256

                                        0a91ee32b61d95ee558afa18750ba0523895aa6d1d7c36d0c5733688621bc855

                                        SHA512

                                        9d85e00b2fe4c46bc809c1b2ac4bcfda7441c71ff03638004027cec61c944f4f7bd995b5d19acc2162df672a4656e7f53fa5a40ea5e0f32b81da08a6e3d1fbc8

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Miracle

                                        Filesize

                                        18KB

                                        MD5

                                        9286acc28c7e57c4dac2e3a1a3e35f7d

                                        SHA1

                                        e6ef63283a8af6717b9eebacce09ae286718fe00

                                        SHA256

                                        dae76be65d7ee43c1c028ff4a0f8421e29e5394483036d505f1a3b9bd6bc0420

                                        SHA512

                                        ffe1c6cbad2f8f5106463f1f25b93b30e4e06e91c7a26cab3627c762d1c19486f1cb5bede444c9330e047c13b9b9301436b9480bd54626910e9987024c99e7c3

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Old

                                        Filesize

                                        21KB

                                        MD5

                                        0c700e1ce9c8ed07ca4bcb5c3c2d584e

                                        SHA1

                                        5c0c41d7d716d755b2e4a6d474e4bd0a72263425

                                        SHA256

                                        1fbce5859a6974d72e92b1e62b3e97c502c39fa2f01aa19ea509fc6fce74d375

                                        SHA512

                                        330464add0faf40f7b9a9ebfa16545cdb42ae92332259ade33835ad3be1e97987fa5ef874d25c559425229e4eececadf3c7fb943236328ec5a95a089cc29100d

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Opposition

                                        Filesize

                                        40KB

                                        MD5

                                        d5436fe871faf2ab1fe64d0b002b4edd

                                        SHA1

                                        da2e294738208758fdd7be01db6838752bf792a3

                                        SHA256

                                        11f9bfc56e0a0707e4d89c4ce6122a5d6f968d29092e998524e9692fbc464a91

                                        SHA512

                                        84dacb80d47a4a4e6be92ccfb59c721a563b5a41434b56297f1361192ca216592d253d76c7d0078af09bf3d9ee97c9233a35dfcbb199fce0ba6c91ce1825b2be

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optical

                                        Filesize

                                        98KB

                                        MD5

                                        85cd05ff556e9187301c35c7e785f991

                                        SHA1

                                        aea662e73c2bbba7861c82035d298e1f1bf74e59

                                        SHA256

                                        d971ccdc2fb720e3cf7f4a52bc025764f3c623df3c6c2e593372b739d9b6aca9

                                        SHA512

                                        bd579519a474d41c2f4e27904dd91dd018d3c697b0ed94f6deba50c66ee9e0dd0ae5ff3db6c18da1345d10ea195ba028ae6fd9d86f82c40ae35964e4954b6a86

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Participants

                                        Filesize

                                        227B

                                        MD5

                                        82a38745ff9cefa0859b47b8bd69f535

                                        SHA1

                                        6f97750b298ed3f3910e5aa4044b91e7409db9d2

                                        SHA256

                                        92f1df88e0467d0284f1de3e6d30bcf41b0ed56e055719872754627a2b4bb470

                                        SHA512

                                        d22a5ddfacf8c00cde7c3fa27612ca386ae68f79b9c93b52d40be33d584eaf3c18b100da9ad6ba4efacef1cba4fa5d1665e4c3004454f0eb41c3051b98c60569

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Portrait

                                        Filesize

                                        23KB

                                        MD5

                                        81964a9cc6e968ce4ebbe8d7fc08c1cd

                                        SHA1

                                        30d53a63a363f4cf403ec0e4fe8c1e2436f7c2d3

                                        SHA256

                                        2c3ce7f77fa5438d067feac516f9251c7b0f763bde6d73203f980defd2f5476e

                                        SHA512

                                        26bbe33098a2fa390dc6c11bb55f1377ce603f36bdea7bd32f82a6413032fd6c81c83115b3a7977115be80741edd4cd5c6e47cf5c601a9fa598ab7a3f73b04a6

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Que

                                        Filesize

                                        34KB

                                        MD5

                                        61fa25a3d1bb2a6b5c9a754061a6c439

                                        SHA1

                                        aabb876591f06cc2a9dc73daff193ed68db31556

                                        SHA256

                                        9786cfe5ecf886469c98944e682eba3bbb70205676df25f68ca301d73f8ebd68

                                        SHA512

                                        10da243cbf9a3e5e6f8ca3eb50cb005c673d13028c61bd166898175f1a4ca315c388007bdd3b19020d6dede6c0a1b003e1372350abe62dbcf3b849ec261984aa

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Race

                                        Filesize

                                        49KB

                                        MD5

                                        63a4cec7749d5aca4920b0a0ffc77cca

                                        SHA1

                                        d6b12953eca8c129f8c6f41a93c9a8ad6c4dba76

                                        SHA256

                                        e652fe093aec9c9fd7be5112e16ab68e24fa106d24be3833988eb1bc56b3fe56

                                        SHA512

                                        df9a0196dc292eef2aa94d5c9dcae4a279f8a3ae677898b8f8d22bf0bcf91273a3eaaf29b769bd6137d7ae5a1690f517d11c1573e9c0aeefa006ad0095a0b527

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Referring

                                        Filesize

                                        37KB

                                        MD5

                                        0725e160589c7e22ee6a180dc5809d1d

                                        SHA1

                                        978bc231b38d5a5d000b79c07a07d283983bf02d

                                        SHA256

                                        bed638e82f76865f0977d60980ba296cc0f061d5a811f17ad0f347c19af3effe

                                        SHA512

                                        57e5559433b45aec664148b616341b493c12d789a683bb23a4b6c7e2e4e999ab6415cbd302ce38f6f348376067f79f46fbdf420b75e67d431f13c7f002824fd2

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond

                                        Filesize

                                        17KB

                                        MD5

                                        9232a164b3d092088493704963735061

                                        SHA1

                                        a0d40d6d5373e414fc50c38ae1000ccda89820fb

                                        SHA256

                                        eea1bebddcfd35ddb7d19ab7013bbdbd47119b55896da6706625b45c8cedd08e

                                        SHA512

                                        3c2ee63455b485c6bb1d9c27d68f478d7685ce23f85d8c97f2e99a97030dbff09897c3dda6082b591a2533bfb2b1ee4871d98fb19103a0ca274ec4314df7f2cd

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seek

                                        Filesize

                                        30KB

                                        MD5

                                        92ea3f0bc9902bd2923b7907870018de

                                        SHA1

                                        f47d3362e9217c62083e40f0a8278489cc4bfc20

                                        SHA256

                                        a74721d77fe2a08a956fab7b88961126015b1e45149c90803b6ce9251454da3e

                                        SHA512

                                        be16a4bb81c66313356728d7c76d077ef98aa184a535378717ccc85973e13a77cbcd198384711d5c91c1789047fce5e9ed45a115578c39a5e5b7f4ee1d554465

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Smtp

                                        Filesize

                                        67KB

                                        MD5

                                        50d8712004d926ad1a52504ce7120c17

                                        SHA1

                                        ee53537a294d2f06920061b3fb00184b31302cef

                                        SHA256

                                        6164be62c9ad86103215561822a79b6c64597e03c7dcb644a8f150320015ad07

                                        SHA512

                                        2262f9485636145357e44992b2d5dd94d4630efe2db3bc526f3bd47b54e18ddfa36682df44abc1bc6ae4f080c1eb9c1fcd8a7e853aa33816499bed29bbc91a83

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Studios

                                        Filesize

                                        15KB

                                        MD5

                                        bd4a992700c51df67f8876c7a3b01e21

                                        SHA1

                                        9da26bc86dfcca6cf76e1c56552d9051861afc11

                                        SHA256

                                        0469dc8b161440a8be803a31759949cd0c7fdc182a748c78e6e18ceb6ac95c61

                                        SHA512

                                        21f06dd11c9102f0bd7e9b616fb67cbd1a36a5f4dea32b663cf6225c036fbb9ae9a77caecfb5bf67236c03cbc576a174991559558341bb0f6d28857c695db076

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tags

                                        Filesize

                                        18KB

                                        MD5

                                        edd7a0e7c4bd048e7ca178afe0e25445

                                        SHA1

                                        3e61a82941d4c1336057d796e842eea4bb946b94

                                        SHA256

                                        ef4c824964ae456a9f26dfc9984c7844e400eea406b49031beb112a426f66daf

                                        SHA512

                                        54bfd671075e2c6f3b0eb19ed218ecd5426b3fe3e02ddccf4bce82689702a23d4e03b58533418b623cc19a3859214b6f536c38264109d2f183d99d70956b85d2

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Textiles

                                        Filesize

                                        101KB

                                        MD5

                                        83f0938a3ad1b62bc85cefcb841f690f

                                        SHA1

                                        46ac969516b7f8cd299694f6ebef8f4a1123b5d1

                                        SHA256

                                        992bded3e250de13dfbee8a257d457a0b577bc30085f7bdbce48a5e96ce5f683

                                        SHA512

                                        c25ff68883c597ae6c07cc4fc5c9f70f2c443fd2194b436a77f5a0dfcae1eaa700ab6a6665895dd2de05e8bde4c7ccfe3d3b108ece87caf2cb7c10d3844b2e96

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thereof

                                        Filesize

                                        30KB

                                        MD5

                                        a903433cf424106ecec512bb8933b29e

                                        SHA1

                                        57ee2078e26854ff56f448cc5aef8e494bc831a0

                                        SHA256

                                        49544e52a8d4f1be2404027065bb52ff5c294185ac0d7cc0875ba9d0c320c5cb

                                        SHA512

                                        97f3e13ea5c89aff5dcb5c5acd05d6b4349d8ef30f708482cc56b5397fa11a5a78d67c816957965a604d99ea3de233ce7cc8c6bf2f914909d73ce77c047da28a

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Things

                                        Filesize

                                        16KB

                                        MD5

                                        eac586ce9cf452d6f537d7703c5ad757

                                        SHA1

                                        52c881f2e4c6eb039a665258f5a844aa37a8a4a3

                                        SHA256

                                        315ff1ba8430651ad5877a1a972fb1f0c232c214ba3b51fbedf2b7957e47ea33

                                        SHA512

                                        62393f37a1d6e0b2d71bf7606a90d88c86cce19014ebe68bfc505f7ebe9a4d9dee15183f41c24b181db6e913ccefd29fe63a57a1a87b3d1a852da2231d637646

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tokyo

                                        Filesize

                                        52KB

                                        MD5

                                        f8087c28b4befd490b134083932a2d63

                                        SHA1

                                        bd5077fcbe9740033260e480e9726149b889106b

                                        SHA256

                                        9f0b85e7bec406a01b3aeab2cf58c304bfe8134158cbea9f789fc06cd66a10f6

                                        SHA512

                                        c080d4f9b5457c456e78a5a6deb0deba82515dedce0013bedfc5d17016aeb9277b3716a97075dd1ade86d7aff7ec9213db654edafab35035fca6a52614bd6985

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Typical

                                        Filesize

                                        29KB

                                        MD5

                                        aac5c53fbea787f18101e52c22c4ee29

                                        SHA1

                                        6d6baf8d31fc255e44498a0da46ed9e21d023713

                                        SHA256

                                        fe14cf539cf98c47b8a1524b2314aeeae1a74dd5a3e5f976efb58b5b5f69dab2

                                        SHA512

                                        54aefeb07aef142942f060e59edc31688fa25b686f8f32ab96c32a0a5204007691eb945cef7a7164e75413d002f73fe1d5feabdbdbd5d1e8e50a5d9fbd94361d

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Violence

                                        Filesize

                                        50KB

                                        MD5

                                        21c741c3279d29ac54aff1416cfd6e7e

                                        SHA1

                                        db764465e82c208dbab122e98b4e62bc5452cb32

                                        SHA256

                                        015408a4960a065c4247dde9ffd4afb13f489f100c8364334cf9ad9b8097f693

                                        SHA512

                                        9763dedd878a2f3440279dde01a3d0381827c60cdd85fb07b9f0ec481b1ec453ffe53319f19af6a1b28e1b8fa54437565eeef684fce0aa81f219c90b034ab38a

                                      • memory/1752-359-0x0000000004B70000-0x0000000004BC7000-memory.dmp

                                        Filesize

                                        348KB

                                      • memory/1752-360-0x0000000004B70000-0x0000000004BC7000-memory.dmp

                                        Filesize

                                        348KB

                                      • memory/1752-361-0x0000000004B70000-0x0000000004BC7000-memory.dmp

                                        Filesize

                                        348KB

                                      • memory/1752-362-0x0000000004B70000-0x0000000004BC7000-memory.dmp

                                        Filesize

                                        348KB

                                      • memory/1752-363-0x0000000004B70000-0x0000000004BC7000-memory.dmp

                                        Filesize

                                        348KB