Overview

overview

10

Static

static

3

paradox_download.exe

windows7-x64

10

paradox_download.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    paradox_download.exe

  • Size

    886.2MB

  • MD5

    29f5a1a19daa6321715c1e705fe7b362

  • SHA1

    78130ffda080dfbc1cd12cf3a6298073ed2bcd4e

  • SHA256

    e30ea9b0d1797cf6bb8d8f6f5c462a049eeede3c1a26a5bf164128cfd23fe48e

  • SHA512

    5e8b31fdf2971e145516a4b2223dfba88340fab3a75a319e3cfcd59cf71b44f28ae5f27829b4fcc660acc33fac5dbfb14b576bde381fc152c76b262146f275c0

  • SSDEEP

    98304:McE0x2XXL/zwQEREDNMsAf/e3io86BepisRGRdv27I8WHg+eVL7sY:M02HL96EgfMiod8p7GRLAPL7

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 4 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\paradox_download.exe
    "C:\Users\Admin\AppData\Local\Temp\paradox_download.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Gold Gold.cmd & Gold.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4008
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4620
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 573598
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1264
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Export
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5040
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Stress" Mercedes
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 573598\Fork.com + Protest + Kruger + Viewing + Zoloft + Successfully + Opposed + Grass + Erotica + Statewide + Ceo + Innocent + Cam 573598\Fork.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Brick + ..\Enquiry + ..\Obligations + ..\Graphical + ..\Drama + ..\Preston + ..\Halloween y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3500
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\573598\Fork.com
        Fork.com y
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:936
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4736
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2804
    • C:\Users\Admin\AppData\Local\Temp\paradox_download.exe
      "C:\Users\Admin\AppData\Local\Temp\paradox_download.exe"
      1⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c move Gold Gold.cmd & Gold.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4856
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "opssvc wrsa"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4456
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1412
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 573598
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3988
        • C:\Windows\SysWOW64\extrac32.exe
          extrac32 /Y /E Export
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4552
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V "Stress" Mercedes
          3⤵
          • System Location Discovery: System Language Discovery
          PID:552
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b 573598\Fork.com + Protest + Kruger + Viewing + Zoloft + Successfully + Opposed + Grass + Erotica + Statewide + Ceo + Innocent + Cam 573598\Fork.com
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1396
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Brick + ..\Enquiry + ..\Obligations + ..\Graphical + ..\Drama + ..\Preston + ..\Halloween y
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1068
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\573598\Fork.com
          Fork.com y
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4032
        • C:\Windows\SysWOW64\choice.exe
          choice /d y /t 5
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4904
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
        PID:5032
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2492
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c274643-5966-40a7-8495-d7a530472deb} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" gpu
            3⤵
              PID:2960
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b4a8f3a-23d6-48c9-b61b-7b595987b9f0} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" socket
              3⤵
              • Checks processor information in registry
              PID:936
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89232449-eadf-48f4-aec6-5f482cf24db1} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" tab
              3⤵
                PID:4448
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae6a5a3a-e795-442e-9333-37201a09ec8e} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" tab
                3⤵
                  PID:4908
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b31bfd2-25b6-4167-b586-4c5369e183bd} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" utility
                  3⤵
                  • Checks processor information in registry
                  PID:336
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5288 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c83ae367-d683-4c5c-9a84-0b3ab3748cbc} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" tab
                  3⤵
                    PID:5804
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5444 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b3843b5-cc8f-46b3-9f44-7aa6b71cae59} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" tab
                    3⤵
                      PID:5824
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a120587-f43e-4557-931e-6a731c86224e} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" tab
                      3⤵
                        PID:5836

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\573598\Fork.com
                    Filesize

                    1KB

                    MD5

                    b7b1f4903e2589bcb3de5723b537363a

                    SHA1

                    7ccb3043a1ee4404e2cea88f1a8e39590d308569

                    SHA256

                    14724303a7e993254123d9aa85dbd07b629c5f64204e338ce7b3a9bb04a9af7b

                    SHA512

                    78c605914d970bf420acc9213e633ac397998c5e5d55446db5dced5b6a6346b98da991818f27de3f50ede2d5d437e851556bfc308bc2698dea30b4098a98f629

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\573598\Fork.com
                    Filesize

                    925KB

                    MD5

                    62d09f076e6e0240548c2f837536a46a

                    SHA1

                    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                    SHA256

                    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                    SHA512

                    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\573598\y
                    Filesize

                    504KB

                    MD5

                    e81c88f1f7888a982875092745f2bd6b

                    SHA1

                    51fc67333d2409cfcd785e9c15b194c5ba9bedd2

                    SHA256

                    cfac75b5319ef074e188e51d64643ac7a0dc5790879cf2f6602f4ad4b63790fb

                    SHA512

                    e8461b35cfb2be1baea27c38e59c7d827112dbfad2877631d36bb9094959ecea63462bb2271f0d56e3779f8ad196b85044bcd7cd839771ae4ddbd067134f09b6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Brick
                    Filesize

                    78KB

                    MD5

                    dd54771cd1e67349e167301249a1428d

                    SHA1

                    7b1c72baef789871156149169ddc2680313deaed

                    SHA256

                    07fa61f48f3cd8e4b138b27d8bbdb099f3b53e60bfb00d218708196e3f44c5c5

                    SHA512

                    c0c710fc460a04a308b4c379f6ff2f93e335ff44a89ba9e30e42777c7956850c7a5bb49f79af0ea649249a5abe37db4ec96332c9e6d5a28ba16d4dbf566940eb

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cam
                    Filesize

                    3KB

                    MD5

                    5c61d006433f07a25769b362da95a64e

                    SHA1

                    88d8a02995889026a549ac19172fc20fe53c2c17

                    SHA256

                    7b42078004eaae24e14e89cdffd6bcfa9414a6ae48b8c2ceb9ea65fd7e59b04e

                    SHA512

                    e4b4c053fa5f6385fb08adf23951cc5b94514621212f3b51c8b78ab4cbfe1cf5a871f5b4f919c42b782f7991f8d38ffb7016df5620056552fa14c63a2c5ab8e6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ceo
                    Filesize

                    108KB

                    MD5

                    d260615fa1e3a7ec1b62711e9cde67a8

                    SHA1

                    51de4643f18b6d9ec6961467c72d4443c397bb6d

                    SHA256

                    259f045543db29d94e617a3ed192998046347cb05343012daf81dc9d52be7648

                    SHA512

                    3715a0fb41946695b4480cbe1522281b1ad22cf5e2032d26ee6821f6b469c0c0cc2af15fbda9b03aeb26a1749240dc30b01b772eec8ebb93fee7411a861a1e6c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Drama
                    Filesize

                    96KB

                    MD5

                    2d62ce4e35939becfa1fca0121846d5b

                    SHA1

                    f5c231c3cad395bb01c5c4e7fdc3bea049c88dbd

                    SHA256

                    a0c847123dfd43b9da82da84d82ce0ad6c8d8bf26d22a5b3f71d428df6a2242a

                    SHA512

                    de4050bd344c1476db5bc53f0cec29a4231cf995002caaa674dd1053accc0d4507f1e3f324aa1a75377dd76199d4bcb0977e4a4b24cc1ac8309cfffcca4d2bb8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enquiry
                    Filesize

                    89KB

                    MD5

                    38f61cea769ba18fb900d8299a84f645

                    SHA1

                    39f507b089ebccddd715e291069d08e1fbfb5331

                    SHA256

                    661fd96ffabdff4f994a38d30f1f1698a7d2fac55f529ff31d0240da51457399

                    SHA512

                    708e1d572a8cc4755107e97bb0ba055f68961b5068ca8aec974d804fc2b5af90034d3ade3287275ed77633661c9b4163d88eefb66d407a1b078b93d7a10dc0b3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Erotica
                    Filesize

                    57KB

                    MD5

                    b4f361c6c0fa211464fb27afac700b56

                    SHA1

                    e6c563a635d583676e32ac5e2c8ab6d2cc623102

                    SHA256

                    07b91a30703634be4ca21565844bd592c92a360472aed32bacb76a6a7cb1f753

                    SHA512

                    b96cfdf365e804b80198948076f9306a7ee1bb3207a093f84f9f30020f8199495eebbca1abeb81eea3e2cfa3bf032395760c74ab8ff7fcc6631cd2d219dbacd7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Export
                    Filesize

                    479KB

                    MD5

                    cb4babf4b566816c33a55e5c1265d94a

                    SHA1

                    0a056ba8ee41d1c9388614df0f4c85b4ccbb2caa

                    SHA256

                    386a35dcf91350f176ba74cc0d7f7358a0ec0ff0a485cc40c0af1c091db1db7a

                    SHA512

                    7dee247fbbe49a17d1c4e3dfd05d12f786b5fc8fa544342d073b3b44dcb9f9044f369f86b8581619681805a98cfee4ae2ee673428d2c03b6a90603c9d208d9d7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gold
                    Filesize

                    17KB

                    MD5

                    a94b591edb47b95b84ab90a549e389d6

                    SHA1

                    35aa8c83d80b1434d3db4c1809dd332dae5b93e4

                    SHA256

                    85731fd973f41aad749ac5b2ef1e153164fb142d8290f16a6035ab0f3b0eba8f

                    SHA512

                    6643e2ac0f79ec33f8b286da981e9ff480e0819638c8c8526a0f72a97be25f7dd6696dd7b66415429a5f151d10d036f4a737a48a26f7a49ca6c8b275957254ca

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Graphical
                    Filesize

                    64KB

                    MD5

                    71d1a169eb7cfc95e88312ec233e428b

                    SHA1

                    db224a7cc4f5af5e0cb213654df966c3d18ebd71

                    SHA256

                    17aab10d63b1a6ac01dbea59bd5cd269030adebc459757f0c2beb9590bb22e18

                    SHA512

                    0fac344990994cc0122f2a0f27c4c7ecc6aa244fefdb3354c1c3259b4341e025e03f46c6c4597a9a85d34a4efd8e1d9581cbbb0b6dcee79e3f816f840372f3be

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grass
                    Filesize

                    62KB

                    MD5

                    90e3278e38591bfa21ddec1b86066854

                    SHA1

                    965ee38c17e2445a902fb4087231bab010ed5117

                    SHA256

                    68461676aadfb530956d80cea66d53a23cfcca6df7160e0628c639c1cadb55bd

                    SHA512

                    345cb20c87ee45dbd3b7e8c820ccc4d4535a8d33f0abc646ccb4500c02d798880b4e3bfd5dce6aedbe115d99b8e6eef6fb5a539134fa8c979021818beb2770e4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Halloween
                    Filesize

                    12KB

                    MD5

                    849dc5ef565ee9e430cceb8d9c15653a

                    SHA1

                    972774b4c6c2e38f0ef6ec47b8a3f5daa0f4b733

                    SHA256

                    092c201b462b159a3de6e12fb3197dd0f88e7f6545011da206d81533ecabb9b9

                    SHA512

                    15103c6a72354203dc23dd22a909337da0c009a6d9f09f6f55b1cd10f200d54424954824a3d1965df6207003aba3ba7d3d0624f90ee22e6a9ca5f00e4119bdb6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Innocent
                    Filesize

                    91KB

                    MD5

                    3907b544af3c2822c7614a2efe0b5ba7

                    SHA1

                    b7cfddfbc3849229beaa59a06e2ee392c57f27c9

                    SHA256

                    c28ffd8b274d44e1675d2d7b7c4fc555e4532ee8b0fe6dd3ec335ddefb0f4244

                    SHA512

                    fb5b4a5b3c011974ba091f14e999bca1a3d88472d3856c0a834368ffe67b554194dfbd2995d93b9cf934e1cb6db3ea83961fcc0de784fc10a62094bf1d653f0e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kruger
                    Filesize

                    129KB

                    MD5

                    4048b618bf69f3a0f6a0be2a8a3af93f

                    SHA1

                    16f004d4635606a1f603a3e33c28b6e43195086d

                    SHA256

                    9acd3c1c02b1437c791f9e97c419147e2364edbbe1ed3217efc75efc809768e2

                    SHA512

                    ccf6e1d8d6f88842514ad7d3d19a2509975d80a5b108af76ce52fa2bc417b5e64bdf78308af00b0ca2ebdfeea8e812af6d46efb32eec50c8fbf31972fea6ea7e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mercedes
                    Filesize

                    1KB

                    MD5

                    d429530feab3215f11fe0494d5158e53

                    SHA1

                    2b3ce9e1a8e553d629d26b5e3feab44501aeb9a2

                    SHA256

                    e0ef84d25d5555fac06eeb3ad783eb8ce3fbd622a8e727a4bbb29970cdc47871

                    SHA512

                    96574c3804cd949437547b957add109b8a369fd402e7e37e53441ded827350ec3cd85485e95f06126e07c704285d00c499be5793b462218d3c31689efaccca81

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Obligations
                    Filesize

                    98KB

                    MD5

                    df922b5be3604f7daf3e662d73b2a128

                    SHA1

                    3766307f329ffaca886975cb72b4919477e4b84b

                    SHA256

                    ba7c026fe54b9b5190a88e7819356ee039e1f7f25a6975d35f562e940b568cc8

                    SHA512

                    a5ee8f2e9e16efd642a8d8773c8d557332b20b0e8b7248656eb4f22ea8973dfba3250990fb6b06411ba2f0e6fb46b73fbf4073b84783dd1533361eea59de591f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Opposed
                    Filesize

                    139KB

                    MD5

                    2b795799736ad7008998a10237e230f3

                    SHA1

                    e64174d30f78b2a05b26183136961a4675ece7a8

                    SHA256

                    4f1484acce53c60ff37c1493154f704baba36caf105e6cc6eb51158aa82bfff2

                    SHA512

                    36b738a43df36045b330acc984c9d6b962a8117b9eabfdea779fe65be196abe602886e5f4e3342954d2da5f86d442b0808ad279730166617b3c5b01755387a0f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Preston
                    Filesize

                    67KB

                    MD5

                    c8d789fb5e14a773902abb7bab33b8f7

                    SHA1

                    0e3a966df569f2534564af625036aa62316e1e55

                    SHA256

                    7b601802d7c6316f8ccb330c12bc56220908b18efa2de4b0f6e53b64ea255233

                    SHA512

                    0ede43a3a0786201d4414fc0a176d35b2de280e593d3255370d2aee992925caa7ba0a2589a3006174da7fcd25ee145e314508200f81a01d1acb297bafddeda0e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Protest
                    Filesize

                    60KB

                    MD5

                    1324f0896b135d6abf3a23a99fe43b2c

                    SHA1

                    9de8c2d4c36cb1f9f0746a5f6e3720e166783f4a

                    SHA256

                    ce387511e8c8cfb817fb21297f4b9855c3146ca873f0dec7b2003e0363c27006

                    SHA512

                    65f61c54d42e1fc83779b0ef10d7ba03549a13c10a06f469ec69fa7d0c3055654ac2e424cd26a13732da81db61be865abcd66cae112365bf092cdf2696eaef63

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Statewide
                    Filesize

                    50KB

                    MD5

                    8f6309ff0eb0e63d74a186501ee7f9de

                    SHA1

                    2c3311367c0aed1b7627dbca1d7a3b5b21b8cd35

                    SHA256

                    8caffe254bfa176eace0a6525c2aae880e14125dabcc8ddc3cfdd1618e449a58

                    SHA512

                    f9efef00958afac5db3dceea2faf6a572801067888e43241f034e22cc127df9dc08afd534d30f844f5fb0546b80f0d81a37a4462e0719bd328a4f17847cf1ae6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Successfully
                    Filesize

                    107KB

                    MD5

                    ac9d04c7ece15b1a43c5ffe41738abc8

                    SHA1

                    34a8ab8e019c4b22f8bd753d56953648b87c05d5

                    SHA256

                    da9521d65248cf5654ac7dd67208d99f872092e166562a4be199bce8fc89ef57

                    SHA512

                    582890270c8932902b950185e1ec7dd9d1b82fcfa91013177a088f9e54f1a1df3dca7fe21b59504f9e3069a2b739ecc2171c4aca6689b129328490f2f9dd61a7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Viewing
                    Filesize

                    50KB

                    MD5

                    65d930ba58ca517ec193fb8052d341db

                    SHA1

                    99524db063e9ef5a1f2729007f564687849aa9da

                    SHA256

                    39391f998b25940dd4d808b04d4b5534e259af940ecf12d7c9bc865d7f6e8c82

                    SHA512

                    5f1e882d321bb889224dae3aa716e9654c0e9247c5197fa0473b8ac394024925e1f835ee161a16b73f816b70f95f19223ea4c81a7c31f24548127bc84642f316

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Zoloft
                    Filesize

                    67KB

                    MD5

                    13a3e8f682f24a8c2fef10507d22faaf

                    SHA1

                    a24e7e43981f88c45ebc60ba5c6da95a395c7e2a

                    SHA256

                    ad2caa2c77c4f9d4ddae27bf7f7d4e3bf5e5d8f054fa0151f3b1bf625175547f

                    SHA512

                    d312de049c6af1fd110fdd30c583ff6aeeb6f84d9b30966fc8014db507f28088c9b0484d9f6fc36129808cc17b02a9fe964f4849ff6296aeae87a49e65f72deb

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                    Filesize

                    15KB

                    MD5

                    96c542dec016d9ec1ecc4dddfcbaac66

                    SHA1

                    6199f7648bb744efa58acf7b96fee85d938389e4

                    SHA256

                    7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                    SHA512

                    cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin
                    Filesize

                    6KB

                    MD5

                    7ab87ca4ec7f4bfdc80f8df97d3bdacf

                    SHA1

                    4dc74a5e2c6c6b8519bae1d672875ee9db0ca766

                    SHA256

                    03b374ded54a56580cde38cb8e6e77a081690ecbef40b11fc58c9b9441272a22

                    SHA512

                    4f79e6c4b59dde283416802e70285aee27b992782dc36d720b4e74de6097458ebde092af983a1103eadc76e66d30f5872f2801566a8eedbfa73df45adc9f909e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    7a2c2c034dcf35a08bec2a63c75df13e

                    SHA1

                    e2b73f29f98866f8b32cc952de48b199337eacde

                    SHA256

                    477f7d47d1faadf792cdfc4762b659d732fd505d519c0e7ecf59741c2c6f2a1d

                    SHA512

                    6d984417b958d969f3c73b7c6e2a72b9ee0ba589887246a3283b4e1d90d9a810d4b9deee83e03315df9775aa3499d88e9197424b18ccb07273291aba953f1473

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    7b3dd2072233d3206868efee07b3d55c

                    SHA1

                    8969370c27d0ca829b7527859e13f689754adece

                    SHA256

                    c747cf364b8e1fb068bbfe2f0c970ebff7c6da170bb1571365521b6ea983da0d

                    SHA512

                    4023dc3bf1815be01d90428789daaa3d9edc8b707088759450ffa0ffb1404cd882a6ebef48577e4bb1138722c95b95e7091d81c951818c6d5c4fde183a33bc0b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\48297ed0-8b2a-423b-9c08-b18fe26f162a
                    Filesize

                    671B

                    MD5

                    d5f9ac1c6eafff9dd7e5c92641451b2f

                    SHA1

                    4c08a62d7c0c0164ca68bb99f211ace42a79c908

                    SHA256

                    201f759e6a4d5ebee0e8e4cfd00c5502079491094dd4f3fa7fa48aa804228563

                    SHA512

                    1037ca401ffe0355390adfa958ba7dfe535820ec387ad2915746e8d75a61187974ebe90ab5cc861cbc8653805fae87f70de6250f845c339085a7522c756b3bfc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\9791d976-3302-43af-855e-107875059445
                    Filesize

                    982B

                    MD5

                    cd0281a8a8b53e7ae7e64e694784c8be

                    SHA1

                    897ae93dd4a2cd477a4bcbe944f479599ba38f02

                    SHA256

                    ecd28b8be6277412412320ed9696ddb7049fb8d7f40af37803247d2d380f88b1

                    SHA512

                    f1e8e3de4851b51dcb1f1994e94d860195dc84c40ff893d13f27ca654f55a7279cbaeffb150c85ffe1abba4f65f142f8f18229492a872b1c463b980cb5015014

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\99bb26b0-fd6f-4213-9078-ab2cbe4a7a55
                    Filesize

                    28KB

                    MD5

                    3fed5d4b2de330060fd3ddbae7dd0995

                    SHA1

                    364018f7cd84e4029896e3c80197bfdfd83b908d

                    SHA256

                    de7e93156a9bf8459a4be8a5553d87b8247c9056360cd52c1e7f7f9772d33270

                    SHA512

                    76ec3c859dc2d9710d8af49f525b10e8da160b7767eafc44cc41e686adf97fdadad5ca7449b8302f68b11379e834033e4d7c59e024eb01433b5458ea0fc4c324

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    28e79a351d64a6dd7619608ba8a52de1

                    SHA1

                    a8401e66e7c303b4aebb36b0518ae6113d04935c

                    SHA256

                    814f4bd685f863203f8ef40c27e462f18d22c938dec08f78db1812742cfc8ddf

                    SHA512

                    622fc1a766f0e2c907ea8063c95c7223e8ca72aacb10f066afca7f415eed6221895c896398264dde1cb611c5f538f16ba8231e4639ec067f006f6eea0d08d8ea

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    1044ba2163cb7cd4626d9f8d42ba2fc0

                    SHA1

                    22782e4f5acd7b8e262a6b210f27136ec122e3cc

                    SHA256

                    fa1ce16d3a93c12d781bbcd7016f72244fefaae95cc665d56c21844185ae5035

                    SHA512

                    da72aeb5cae266d47b4c68ce2f31893bcaac9a7add47f08e6f46bc0f3ad90212110433fe59861d062104304acfc77cd1e70db0364a262d36d72b39e579d67195

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\sessionCheckpoints.json.tmp
                    Filesize

                    288B

                    MD5

                    362985746d24dbb2b166089f30cd1bb7

                    SHA1

                    6520fc33381879a120165ede6a0f8aadf9013d3b

                    SHA256

                    b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

                    SHA512

                    0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

                    Download Submit

                  • memory/936-81-0x0000000003E30000-0x0000000003E8B000-memory.dmp

                    Filesize

                    364KB

                    Download

                  • memory/936-82-0x0000000003E30000-0x0000000003E8B000-memory.dmp

                    Filesize

                    364KB

                    Download

                  • memory/936-79-0x0000000003E30000-0x0000000003E8B000-memory.dmp

                    Filesize

                    364KB

                    Download

                  • memory/936-80-0x0000000003E30000-0x0000000003E8B000-memory.dmp

                    Filesize

                    364KB

                    Download

                  • memory/936-78-0x0000000003E30000-0x0000000003E8B000-memory.dmp

                    Filesize

                    364KB

                    Download