lumma | hxxps://app[.]mediafire[.]com/v3txu5tkw7ln5

Analysis

max time kernel
98s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://app.mediafire.com/v3txu5tkw7ln5

Score

10^/10

lumma discovery phishing stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://begguinnerz.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
4588	Heard.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1660	tasklist.exe
4308	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\UrgentIreland	inter_acid.exe
File opened for modification	C:\Windows\AcreAirline	inter_acid.exe
File opened for modification	C:\Windows\TtDeck	inter_acid.exe
File opened for modification	C:\Windows\SupervisorSize	inter_acid.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heard.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inter_acid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133807820034451499"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\interfi_acid.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe
4588	Heard.com
4588	Heard.com
4588	Heard.com
4588	Heard.com
4588	Heard.com
4588	Heard.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
4588	Heard.com
4588	Heard.com
4588	Heard.com

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
4588	Heard.com
4588	Heard.com
4588	Heard.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 4940	1132	chrome.exe	77
PID 1132 wrote to memory of 4940	1132	chrome.exe	77
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 716	1132	chrome.exe	78
PID 1132 wrote to memory of 3312	1132	chrome.exe	79
PID 1132 wrote to memory of 3312	1132	chrome.exe	79
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80
PID 1132 wrote to memory of 3896	1132	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://app.mediafire.com/v3txu5tkw7ln5
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb603acc40,0x7ffb603acc4c,0x7ffb603acc58
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2140,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4888,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5164,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4956,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4836,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5196,i,16116461841465091377,11876213001891596780,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4824

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3052

C:\Users\Admin\Desktop\gath_acid\inter_acid.exe
"C:\Users\Admin\Desktop\gath_acid\inter_acid.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Citation Citation.cmd & Citation.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:4308
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 170898
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Repository
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "zen" Consist
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 170898\Heard.com + Proposals + Organizational + Extension + Mb + Elite + Parents + San + Wordpress + Citations + Iso + Aboriginal 170898\Heard.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Willing + ..\But + ..\Situated + ..\Thermal + ..\Shuttle + ..\Conflicts S
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\170898\Heard.com
    Heard.com S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4588
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
76025b9fb7201faad57e95ac873e37eb

SHA1
25c01eb7d9a63723eac365d764e96e45e953a5c1

SHA256
03bb8cf70d96e562ff19d80ef9a01f8255aaa1a6ffa2005dbc004bb718e05269

SHA512
6f5c8680823f3fc01c4668585518a1a535959ec456bca88f81eebe0484dc6cf6bbc40044db4ac7d18798529a20feca039bd986f243db817f27df220a7917a28f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e15b82a5ecf346bfc35f12b6234f11f5

SHA1
c5563fe56b36a335c8721ff8e880567768dec81f

SHA256
f8a0bf00aa44e3ecaca0279529040f9454b1c93be5db429431016aa412921276

SHA512
32bf283bc220c52da5f6328e6e86b7d28f9ab3338b250bda8aeb70c7d7ccc9e3782795cb7e4c1064c3c3550db8858284f2c425cbc346e0f6955ee89e0de007b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
04d8ec526b3efca00138a4fe3f11da9d

SHA1
56b01a466957f216909420f03cf178d0bcbb2e60

SHA256
3a471a8f7253d88e18ebf96b75ef2dbd71f8b42b7dadf32a96276a197e781977

SHA512
e33bc6540fbd4e43e6d6132e6b4cead319bae00296442231e6c768f3d77e6d7cc94e333861862772b0d8a52a3c4d1f723e684fedaed2953f4818665eb38ef60d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0186ba2c5f24d70c8f8bfc12430af48e

SHA1
af987fff7526c63a46ab8b5d7aa66bc74c48a596

SHA256
13a05bc51bb1476ad889a2960293e700d294ca39d1058d8e08fc5cf832dc79aa

SHA512
f89b4178df60c1f41d02c95f1d9c2137fa01402b28e8813e4e994188edcfc85dd01e7d21a42c18921da80a887c845b94a523e370bc8f85ba1ec0127b7e5a8ba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d25beb48c745a8efc1c02a656668f107

SHA1
0e441f48ddf51352ecc14d7bf83ed1e2b4123062

SHA256
aac519c5e0398d507df86f97d10667f7f7ce83ce5c550d89df64b83a23f824bc

SHA512
edc7909f28cb73d6d57404b509e137175045563277800f753c02dad3cec9084ae2d9e371533b43831927daba595639c9b7347f4037f2c87839dbd8557959139d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
b2a2bc355d2b96f73e22adb63c2627af

SHA1
590622ef8d34180d44aa51a5dedca26cb3107a89

SHA256
c390178e6b72dd23ab21ebd327c4d125f314e75500a96075fce6d559e5f5c1b9

SHA512
203549000e68258f714a3e810f4b6ea7f15b550a2e56915ef8aa735d7677c93da3fa0a89985002fd4e9df0fe45ea479fac8635ed96187e1cae12da2822e05f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
73d9fdfe708519cf5e98357031b642a6

SHA1
1087fde0de52ac54fd49877060fa42ede83c0225

SHA256
94ad469813b8a5b2c2b9a0ac3594f7bc07487c29cff34d7569ff199f9baefb12

SHA512
924fec83cc15bc38dc265668419c47444a2c23e17e229ea7edea242deb7e56b2b14a43b40ee08b937217eaeb45455583172a42824519a4107dac76299c2657df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3dfaf260b724bdc27119dde895cc0371

SHA1
c0a83eb48f06a33f63647e24e87801b03f0f01b5

SHA256
837db82cde7aa0f333eaf4f09f1c48b10324fe335d19eda32f7eed53cb389a13

SHA512
64d04ea7f155721e9d4c83461d5dc5d29cd1da963b23a52d4630a23cd751d79cad7df26dbed933b676981bd8d59de9916acdafeddfc93bcce408960d9bff0c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9edd3744773c2d8049e64425fccb3f53

SHA1
19b5ae43f778275af61bf43703d0a1e566fd4ca5

SHA256
07dbf552da697c4d88797585767371c15a05ae580b986452bc64a5a43fa55982

SHA512
8f529e539d4bb2b82cc1b9e98fddf8932b0ce2386ed4140145687efe651e873b1addd3cc3d5c3ef7ad6a1ae326fd90b785f11549981a7e68efff599bb3beaba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3f747420b621436d18de9c93c9d5feac

SHA1
098626644aa91eeb1464b76fe8992bdbe298c465

SHA256
c46c983c27fb283d74c92be39f5b854b3b33dd7764f38ec7b179043de6fe2441

SHA512
ac070e7dd08db52a51f2e3bd9e6b2d5912b5f98ffdd183684f9425c8f8cb05e3a42a79af0c704884882aea691f2dec4354b5cd8b9a225793427aa065b39c076c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2cf8787e62ec431cf6f8985cc066bfe

SHA1
dd58485cf12e0f3786083213758d966d536698cb

SHA256
b2b8e0ca5bc687f0927e5400ae8d595cf18e2e0410bb4044f4703d13612e6dc4

SHA512
e2ad86ac661b46911f83b9df24d22a4c1e33aa50c36266b0051fc1394aa616974e1c8c0f3a674238b3b0a4ad36303ab688882465bd33defb1ed28c9703e343df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5b7b6f14f11b71f6b8f365454d2973cd

SHA1
d53643eb64515e3bb6c3c0bba7db58f4010963e2

SHA256
23214807421f01da1f453fc47a95cd918c384c5d410de4293b1669b0faf8ec31

SHA512
05c1fc3227c540f9bbccfeb0fee2c6a033c3f10ddec459a24a91fbf85d8ca04102f49f6eaeb18443c1e4a8ddb6fe5f8e6927f3412cc6421b97f0681574bb52fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
252d3edd5e46d3ed45ac6fa71bd0f42f

SHA1
2f7c140c311893e3ae6f925bd6d06f47c22fe8bf

SHA256
595e7f77145dc469a873af69e5f08178c2f1476244ab8b5f401efb8a6ca91f7d

SHA512
e2ec0fbcadb1d698121eb39d57092add765b3cf1eb9fbe0e1f56346683fbbcc1831166eb69d7d6bdcf27ec52dac99c4c1eb31d381cb753a1d142fc6bd735b4a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7eeea959d368352f1efb7c5a91c8874d

SHA1
b5484e4181a2e4937f22eaba12a6e959fa4baaeb

SHA256
8db22be22a834da38bcf5eac0c28e6286429b1f725bcb51837eb7ad8544ca78e

SHA512
5258c3b80da486f2cadf0dd08a8b5a3a14f25be9ab91504e86dba964a226d086a7c3fcf9c76e933ab255efc583b1c05ad786eec0bd5a7010e09d08002603db46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
af4c5c98f967c5de6e46f15404168417

SHA1
2c3975c86792cb947f34e37c2f97a3e597029f0c

SHA256
772365c5f8d19a9432ae6bac563a92483740af75952b6e439714b6d7f459a95f

SHA512
9d3142b75cba2ad4774687a8ace0b590c14e24e5cec9698023f2992b92c2bb3c35a27f7569915d99ae4c8dfa92b6f198392e1730536e8b090792bc3f6101de09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
bba04d545bab7a9ee62e6217a19a7988

SHA1
c156dadf23e68e744c64b9e75f50162dc8df1f39

SHA256
8d2d0f74ae8bf62cea04a2cb71e261702a9c507aeb4211c9fb6a05d743986c7d

SHA512
2a25d64368bad043099324018f87ed5f0fd77feae465cb4965b12fbc4211b51e0eb6f7d5817c15596354487bfa34fb4bfe60def4a244bdc06d3417af36d909e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0bad242b0852ff1eb8f738d985649696

SHA1
c416c0323029f915559e690cc9405fd2e9b3653d

SHA256
48694097537688437fe65d7351c774735b2a43ea5f81718503269bf1eb41b3b7

SHA512
553db40b03fec4512c5adce266d8f8f2829cbd31136e3dd80697811a1f8605857b6bc6ad1fa4cc1e33a9b8f5e605c3c97454cdc296f624416963abf0e8cca91f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
264c596b2d852f18d3f6c67ce3e19bd5

SHA1
8df3f8fd0d5f7026d7c743a9d9b8c940600f3c49

SHA256
af22693be370d2a61cc45b7254eb3836494fc279ccd9b08d5799b13c7cc5e6bd

SHA512
342173f4bf800ff7ccb938b6a0ff7bb6d23d6c887b8b7435f9711fa0305002428bc23bd98209e9e23ab51ed91e470ecbb5d6ac5cdde3e07e23eace8df252cb42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\170898\Heard.com

Filesize
2KB

MD5
430fde969f9da31e57dd08e4ababd9f3

SHA1
7ae05c0a8dae69b299aedd96d4b6ad5747576955

SHA256
a7ba6cc14188c9f372287a0b1c09f85610cf9d199db3cc6e2fb6bcefbce18d69

SHA512
5adf5ecd024a2e794f47676c130b306c1ba25f5030e590d2cf53dc03628b776c97e2a63236d820abb5563273f7085bec921650917c205fcabb93e85c3d48d0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\170898\Heard.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\170898\S

Filesize
468KB

MD5
e29526011a875b5df841536c5753c6f7

SHA1
cd0a163314691bad0879c5c4089f80753e152a9b

SHA256
98da08475b74376406ef3ef14f37679fe7a570ec352e5452dd92a334c951efd1

SHA512
e0f21e5118bf8a5350c08897ba7d3592685c59af6708a38dac900de9d368efe05b70c071f2f95fb6b66f25f0128b79201f70d09f48674b1a1a950ce8598e3f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aboriginal

Filesize
73KB

MD5
07314039b19dc13c7a6c82f2a9274051

SHA1
d11ea8b8d1b309b6c37f2f82b21d7dd81212084f

SHA256
c720ccc9b2b3178bf072abb0c1057acc6726da0fa6a2e50a87af879c40e2ed7e

SHA512
617831791d8e83f889f1a7864fc7dfd5d4e28e10b58996297619316cfcb057a06a160c293006839a4a62a52ed6864b47839f8a335175317095992a31fb7e2166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\But

Filesize
96KB

MD5
353cbcc4db2a06ca96989d8db45f5845

SHA1
8fedd5bb69d3b32031e05290de53efe342383491

SHA256
7cee924f41c91b416e718494229926a01fe493d882d0d9994dae053e1a12eafb

SHA512
a3a8e0a6bc2407fd5ad8189a1cff148671e4affa2157d7238df71164e671491b0fc62e3f218a0c1ec0ed10daf2b927e2b7ef6d7826199da08c8484596e002dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Citation

Filesize
17KB

MD5
6627bb2c9f64f623b082646bdaa3771f

SHA1
02d4e9eee858c99c7bc869166db9b70caec40186

SHA256
4ad227feb69b27715eda0555b3963f8d6faecb971f3e4627b55ef9e766710b0d

SHA512
7acebfa6d8b03c2718e3652e2060cb64322f4440701ca88e6284bebf6848c90925d1b0b9d4be6f55b8023c7378166e1de4efc3f4970c3a54e8c1aa508e5f8110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Citations

Filesize
65KB

MD5
bd0c8169fea6a0f0ad4863961cb3e828

SHA1
a283793374a89319f3161f258c590832ddf18770

SHA256
3aebd16034dafb00367c74809de05380fbf0de25c5cbbee7485b69eee55d3e06

SHA512
fa170a2520e91454a777f559086862d24c113bfa529715c35ccc42220be191628d2aa0e1bd255104463698e8ee957c84c2af0a2caec06934b482a1cbf0bc66b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Conflicts

Filesize
23KB

MD5
6f0c63fb9a8005e1b9893326e4c5d644

SHA1
37c8d16b7335f238f2dd0f4d080071b17b7cafad

SHA256
cc27a286bff343903ad429d8443957ac09064d6ec7b27db26827b1a835c7d748

SHA512
738acaaf1947758670dfd0228a544e74cf97dc4aaf7d35fc7829452975bfc37ad12a1ed9a0cd9d44a318e7ffc63935925be4995980b3a00d29184372c3cc7693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consist

Filesize
2KB

MD5
83312cafd3a0f5112950c5e033d1f877

SHA1
1ead3f8680199ad967a050123d1c848a4c37e3ee

SHA256
74bbb520a6f27437431afbce50d7f3c52711b8860d910588e2bea2c3cb24fbf7

SHA512
009a57214977c088bd1b2e4f24dc2ee2c563376716d134fd7850dc0424ebff9f96db0c032cca3307c50150d0f8492fb055cf0aaa24012c49714d50eb3b90b738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Elite

Filesize
126KB

MD5
53e2756e1204e5c25c38307daa54185d

SHA1
5b99a9c06ce605d93cc5b43b2efd766c4edc89e9

SHA256
7c5d27dddc9407fe64ca0fd3ba884aa9d593fc91bf7b4ec5127acbaa4e1e2ff9

SHA512
65cf4a3695e54cdd621d599f027dbf8b6de1331cc77765ee0fe3fe40de795398049a3e5db10cf79c710272cd1ba8640c87c7750b76f64ce9848adb5b43797d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Extension

Filesize
66KB

MD5
ca328a92d384e1172b0f657e588197cd

SHA1
e0ea7102302f25b4218159bf32ef79e1bb56345f

SHA256
bfd10879455f94674de0d891b993e28c84f547a45200e23ded744b76a7bf1abe

SHA512
b25c494e79d057d32498d25f85b8f85018b9495af7ec2d254d23dbef9d1d1011332455574e24f9d4d4ef2523b8ae660e0c41075a6e794f9632af758c3c959d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Iso

Filesize
58KB

MD5
8f7a27ca8809b10dc04c9a81b4c82b03

SHA1
5bc8d6a5db258139be81b4cf8a46b542cc9f93b5

SHA256
7a1c064f518ed6d7596ed47faf2b8aa782e763948aec3d84d6006ff97d5703fd

SHA512
9e688577a417e5a4940c09477b6e0695ea13fe032bc23b484ade6050fad8db51ee071ab3ab9c2c63f060855dd91960b2123520067a79ab642a41fed4d22fadd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mb

Filesize
144KB

MD5
c62cf4ea70d4c9d82852e1ffc94e0437

SHA1
793bc14e085fba0dbc1fce0d8407ac1483f3926e

SHA256
7e5ea196f771120e2df45468ac39df309031b01926730a2b1dc4acbb9f137c8a

SHA512
1fc7bd0af67ef6cc51400a7bff017f74bf5368818f57d51c107a69f833dd6b267919a4e5e4ae5ae849e0437eab80a26c3a629bf0ddbbcee4a7df0d6487ed9e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Organizational

Filesize
77KB

MD5
86dfe448d6f558dc4ac44dbbebefb0ce

SHA1
aaca62907c75daa348ad0cea162b0c4197a1b781

SHA256
eeda28037ede8298dab5eb33fa2a6615439cfdbef809e6a765f3ad322ef7016d

SHA512
0a3d8e00dd5a5ce937e22a77f270ca3e42a870f65204c1a36cf49d3b411247ab0a1b58d2ef7a913987afce0b6e7fcd5be8c463e632806d41aaca1617231f4187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Parents

Filesize
77KB

MD5
ed7bbb47a06dfb797c1c29023c951964

SHA1
f670b7b70ff683d513a0e278bdcb7c3ad4fa70ef

SHA256
31984e14c8a40bbda23c1bb7833f218bacc04eee6fca486ce3c4998e5009576c

SHA512
c020b04283888dc850a98b14b160c4ad454c9e9060689ad59945da5615b04972f8b5e08c921cac9edc8e77e697d0b9f5197b7ff816170b84701c320d441f8ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Proposals

Filesize
67KB

MD5
96a4f605abd67c69596d0f30891bcda2

SHA1
8c3e19dd616ce28feedd05e6d5df2a77b959d1ee

SHA256
c17bac465a6f151832b1df82dd19d944f7612d7718162c78766cd19c3f3da1b1

SHA512
a81ecd134e41b1bc0c7b11f6c8bbdbdef71a286eca4b995cd21c167efbe04ed9050cf2d7e8279609cbb1cb338cd66db879e1cc1d26fef154ac7bb735bd77d1ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Repository

Filesize
478KB

MD5
3fc44943e0e388647474298f5fc4f98c

SHA1
66aa8e5313b1715fce540f1cf985337115d3a60a

SHA256
d6128ec0e64b67be5cb7787e91f2d84330d7c8fff4ecc5bf78c2f2d8f55e094e

SHA512
4cc34dc74a34f2fa8e2ead392a3f7ed5e38fc1f50e37b425e416abac0d945056fed50ef549568afc59104dd1e1133abfd545b3f1a1be8d4b1fe9ceeba714340d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\San

Filesize
109KB

MD5
68b81ca65154f033364440d912d50556

SHA1
0be175fa5e63ece9188b733e9b56d424a87ddd64

SHA256
48771a7faaf737d13e454593703a8bc1304352a49710913b3dd21a70afd18f9d

SHA512
fff833a5d0c7e95b74d0fe1c492a71b5549b0bc8751cbffaa6c855e220edc222d8c1ac6c05f2f5a3696f3f8c5d029394b974a2831b34ccf053140de59bfdcd21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Shuttle

Filesize
69KB

MD5
5b24fa429fb2c46e9b30609ff0ce2a48

SHA1
5728528cf2245e0f189af5a510faeae8b4d41abd

SHA256
b4ce707bab0cac4f91125d6f88052ff734405c58eaa1744e81e088438b8de8e6

SHA512
ccbf1849d8b92e0bf7e2ebe379f5bea765a0a5063c69bd32ebe4dff23e5e0b1a8bf991856417a44c49503b5d9b3d154549334de199404517880e507fac25dd6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Situated

Filesize
99KB

MD5
ebd570f07376bf2f88e64312737b8e1c

SHA1
d8daaf771da1db6a27e1566c49479f52d1aa0257

SHA256
710ee0073474296f0c83c5951c60998e5694beaf438c1055f2961a0d4228435a

SHA512
f7e0974e7e90a2f740856715e077b4b49bb827d407ce8c330dcefa9e752a29a523ea2d843d38fe17a574e33dc6be0ed46f666fa681b6bc52dd608b0960347e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thermal

Filesize
83KB

MD5
38ffa94e0e6c78baf39af60e3c708117

SHA1
ae52d958bd438dc0e7d2aa4f83d062eacf6e211b

SHA256
c85681f23ae88c9b5f480046920672b4e1cc510f2af1622910b8247ffb2fc462

SHA512
011355e40ffddbcac081bae30916982c405d604241a42e9668fc96ad1b9d7083240f9c7d14e9fade35ea41194a8aef836d8bebfc24682bce77e49bb2ed981605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Willing

Filesize
98KB

MD5
ab8332216c0359a94d5907d2499796dc

SHA1
522c62354690742aa60e1fbd7b110fd6a3eefb92

SHA256
ba8c84e37d3a7b1237f014098393e68aeca58dc527ecaaf994f5a2bb078cc90c

SHA512
0e4eb5abf3a460fa47397592affd5280a5a2173d88a7a703ffe622eb4c60bd9b12615674a39b564cf5abdbd9cda2339183abcb38d4893b5ba06fe7aac7a74cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wordpress

Filesize
60KB

MD5
3f0a63af42ca7cd1017dd29fb2145a9e

SHA1
c9067449a9ee03f063f14419b4e04f3f3ff50af8

SHA256
3128948b5b4145db9cbbc96081f7374a5af5de421145c05bd0038940ab8872c1

SHA512
95b17ce111f774eecb73a4aa17b450de2fcaf02d33f4d182e7fdf811f4831fb0c2f002a5c3f8e5d26db6889589546227fe017c1143399b61d56dc16fc16bf12c

Download Submit
C:\Users\Admin\Downloads\interfi_acid.zip

Filesize
8.4MB

MD5
a1927e0a66add92bd80b2956d133147c

SHA1
6354da51d6f9550fa48cb863e3ba756f31adcef1

SHA256
b3cf39e53e1045f100a129def75b7f944fee6443f8dc4ed3f3183f78ac7af8f1

SHA512
d3121522e7e7042f69aefa43602570689b7bf236c167c4d28e3b63d55baba26ba8025a67f926b72a94af88b55b3aad5abf391dceed50e4955ef996df05223cd3

Download Submit
C:\Users\Admin\Downloads\interfi_acid.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4588-417-0x00000000045B0000-0x0000000004607000-memory.dmp

Filesize
348KB

Download
memory/4588-419-0x00000000045B0000-0x0000000004607000-memory.dmp

Filesize
348KB

Download
memory/4588-418-0x00000000045B0000-0x0000000004607000-memory.dmp

Filesize
348KB

Download
memory/4588-420-0x00000000045B0000-0x0000000004607000-memory.dmp

Filesize
348KB

Download
memory/4588-421-0x00000000045B0000-0x0000000004607000-memory.dmp

Filesize
348KB

Download