Resubmissions

17-01-2025 02:42

250117-c64j4szpbj 10

14-01-2025 02:47

250114-dacl7axjdr 10

12-01-2025 05:53

250112-glgbas1pdp 10

06-01-2025 23:08

250106-24x2zstrcm 10

Analysis

  • max time kernel
    61s
  • max time network
    63s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-01-2025 02:42

General

  • Target

    Set-up.exe

  • Size

    1.1MB

  • MD5

    66f7c3478c05fc5076831c995d1aa078

  • SHA1

    87768180fdaec44732d4b6594ca2581f6f98f4cd

  • SHA256

    b0669b7c7af17ac57206e5763439af214c3ac95f78f54c725cd4755f313b42a7

  • SHA512

    9c11ad42729e31fd2d1dc02707d2a10837c0cda919516fd49c2b539e98959f2ca2e64e3887b3576f507c69bc923702ec7ae2dc71b450a82440011b824bc684a8

  • SSDEEP

    24576:giC44xR9ylHUJpixIJB4eWlhpJTXaNDBoSQp/YFoA9:cNp3eQ0JTXarM/YFoY

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 5 IoCs
  • Enumerates processes with tasklist 1 TTPs 14 IoCs
  • Drops file in Windows directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2244
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3432
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1384
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 436262
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4016
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Cheap
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4836
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Projection" Bibliography
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4464
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3748
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
        Speeds.com n
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1984
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:680
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1436
    • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
      "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4528
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "opssvc wrsa"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3452
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2572
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3440
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 436262
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2580
        • C:\Windows\SysWOW64\extrac32.exe
          extrac32 /Y /E Cheap
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3972
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V "Projection" Bibliography
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5004
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4192
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1348
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
          Speeds.com n
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2384
        • C:\Windows\SysWOW64\choice.exe
          choice /d y /t 5
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1572
    • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
      "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3528
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2980
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "opssvc wrsa"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1560
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3884
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2352
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 436262
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4604
        • C:\Windows\SysWOW64\extrac32.exe
          extrac32 /Y /E Cheap
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4312
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4448
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1248
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
          Speeds.com n
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2864
        • C:\Windows\SysWOW64\choice.exe
          choice /d y /t 5
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2872
    • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
      "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1328
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:236
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "opssvc wrsa"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3908
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4832
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          3⤵
            PID:2072
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 436262
            3⤵
            • System Location Discovery: System Language Discovery
            PID:416
          • C:\Windows\SysWOW64\extrac32.exe
            extrac32 /Y /E Cheap
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2356
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2856
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4972
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
            Speeds.com n
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4068
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            3⤵
            • System Location Discovery: System Language Discovery
            PID:3536
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1568
      • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
        "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
        1⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3440
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3516
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3252
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "opssvc wrsa"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:772
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            3⤵
              PID:4408
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 436262
              3⤵
                PID:1912
              • C:\Windows\SysWOW64\extrac32.exe
                extrac32 /Y /E Cheap
                3⤵
                  PID:4424
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "Projection" Bibliography
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:776
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:5088
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
                  3⤵
                    PID:736
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
                    Speeds.com n
                    3⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3296
                  • C:\Windows\SysWOW64\choice.exe
                    choice /d y /t 5
                    3⤵
                      PID:460
                • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
                  "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
                  1⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4744
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3380
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      3⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1308
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4368
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      3⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3976
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:3572
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 436262
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:1896
                    • C:\Windows\SysWOW64\extrac32.exe
                      extrac32 /Y /E Cheap
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4572
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
                      3⤵
                        PID:5112
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
                        3⤵
                          PID:3528
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
                          Speeds.com n
                          3⤵
                            PID:4504
                          • C:\Windows\SysWOW64\choice.exe
                            choice /d y /t 5
                            3⤵
                              PID:2452
                        • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
                          "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
                          1⤵
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:2376
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:3112
                            • C:\Windows\SysWOW64\tasklist.exe
                              tasklist
                              3⤵
                              • Enumerates processes with tasklist
                              PID:2676
                            • C:\Windows\SysWOW64\findstr.exe
                              findstr /I "opssvc wrsa"
                              3⤵
                                PID:4652
                              • C:\Windows\SysWOW64\tasklist.exe
                                tasklist
                                3⤵
                                • Enumerates processes with tasklist
                                PID:3096
                              • C:\Windows\SysWOW64\findstr.exe
                                findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                3⤵
                                  PID:792
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c md 436262
                                  3⤵
                                    PID:1328
                                  • C:\Windows\SysWOW64\extrac32.exe
                                    extrac32 /Y /E Cheap
                                    3⤵
                                      PID:2152
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
                                      3⤵
                                        PID:4968
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
                                        3⤵
                                          PID:2276
                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
                                          Speeds.com n
                                          3⤵
                                            PID:2888
                                          • C:\Windows\SysWOW64\choice.exe
                                            choice /d y /t 5
                                            3⤵
                                              PID:4584

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com

                                          Filesize

                                          2KB

                                          MD5

                                          0b0757d63d90e5a9024f7f089b03f283

                                          SHA1

                                          b9c6aee935d1a90d9513d031e81621f3afc6e3db

                                          SHA256

                                          661ec5672647232f76fa7f58be55099f2db70832a30e4d2b67464c047f116f1d

                                          SHA512

                                          90b6390cdd66445b6679220c16062f5f2765052abfa24f137771297a005c101bd02ee2b49ad996fa9b527bce6537ed776ac2726775ff815c1fdcc5756d59f20e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com

                                          Filesize

                                          925KB

                                          MD5

                                          62d09f076e6e0240548c2f837536a46a

                                          SHA1

                                          26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                                          SHA256

                                          1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                                          SHA512

                                          32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\n

                                          Filesize

                                          508KB

                                          MD5

                                          3116a3f04c1846ac0d15a1d06dc7ba1c

                                          SHA1

                                          dc22823f0c2a3c1edff41fa84d9c3b5ccdca5f84

                                          SHA256

                                          fa7fc8f001eea27adea8eb6be994ed120a79fddc1c769755e5ee93e1ce1f0f5f

                                          SHA512

                                          c0b261bcb5181a5ae2d67254ff7d814b7c4ef4b59dd50dbf2369132c36704d2752d795192355577c9da7b6bc3b9ee414eee970a804ce8683d24a14d305f97caa

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Advantages

                                          Filesize

                                          9KB

                                          MD5

                                          2db499d040a1bfc89e7640193406b961

                                          SHA1

                                          a70ce0ee46ea92972ed69a401a93b39cebdad2f0

                                          SHA256

                                          13d612e6aea258d8e6e52a11c2bbca91a3857c010ea9ceca3500d650ddb7c51b

                                          SHA512

                                          45d7a70ed002c69746aa0458f41db2b2bc8c948e639e57fe0dd5fa8acdb63fe057d445e659fd2db0c1a3e823de1b8a8bb4adb67b8930d1e5a214e8c4e1386d11

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bibliography

                                          Filesize

                                          2KB

                                          MD5

                                          abd352ea5ed60166c2a61a44bcc60df4

                                          SHA1

                                          1f475862b8fa4a6611ddbf492f1bb832eb676129

                                          SHA256

                                          f9e653d6da8ff3eb2598bcb2a06434a3a788a27f3b3d2eee98447563c0eb629d

                                          SHA512

                                          ac2bb72355c72aa131e7072a91041d5e84f57921e8551a69ee09d543ad20111f2892a76117c996eb8411a1a6856019d60c9f880f234cc4457a0b360c0b1e14a7

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Business

                                          Filesize

                                          145KB

                                          MD5

                                          f233d02956728b22042bbaecd44b88ca

                                          SHA1

                                          17f7b7cfb477896c0cfac1dd268a35713ff58f34

                                          SHA256

                                          6cb1ac9e0628fda2644691a900479634e7a2055bfeb306be6b12ba9f97ff869e

                                          SHA512

                                          c73d65fc0e2bba3b1b26816cf229a8ee40d11e72f842fa75e273a465e707d7fbb91bfd7addd7cc4d8e24c74b5322d57fc9c2410d88c95267e509701e2c7fdf84

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Charged

                                          Filesize

                                          60KB

                                          MD5

                                          7ddf15938b975dd3beba0bae5b370aac

                                          SHA1

                                          e4af1e13f17051f3aec6519e9790b00e9b01398f

                                          SHA256

                                          55c8fe9b320ebdeff4dfc5e71fb5de5066a640025356c099f8064b43537af222

                                          SHA512

                                          1e815612a3070f5bc76d3ac1417369df88ef52c6dccbce13742fd175e72a34c32c34ecf3363af193bcfb9e2d1c214869040faca0178fb31a1ffb70a44a239dd4

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cheap

                                          Filesize

                                          477KB

                                          MD5

                                          b75b04863ca47ca9eaf26134e6af93fb

                                          SHA1

                                          ab2c3acb03019a22d053939e7767c26a0fd215d5

                                          SHA256

                                          441949efd57076c763e6816bb6f4f4010d79b22e2387b9044ef83ef03fc139f8

                                          SHA512

                                          b931e399c9d8036881f847ec6af5bf5186a5f402231628f1bc37c64a27b6b08d298c1326e7ffb40206c79a101a5a78a9732d8b813588780d4948b072433eb416

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cheap

                                          Filesize

                                          237KB

                                          MD5

                                          ee312809db989f1562e88f4069bfb0b6

                                          SHA1

                                          c1e186b3e4aaf99c8d2a897764156f0c25affec3

                                          SHA256

                                          c613ed002da75efb08a7c1f16eb8736c762a27768a4188bfa94ecb7cafc95a30

                                          SHA512

                                          5f66704b2bb0db2c05b19a61fe84b27d801e70011de447c58031e5b66e2fd6b4ad9b632e3dac853777a569166fc1e1cb63c88858d9bb9f62d6f2c74f77397da8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consultant

                                          Filesize

                                          69KB

                                          MD5

                                          872dbdf47a928a98c480d08edd43846d

                                          SHA1

                                          11da1832df3527110fa64f683c37ea4359689cfe

                                          SHA256

                                          9243a1f850d1bc269c6a69851f5915c646c56cabe007b10b06a54f8efd1ba503

                                          SHA512

                                          89b12431d0692f68065393cf51eb522251c1064cf14b2127b38860198385dd752b1011a0e35bd7f61be772dd97553712db39b66dc0c8d3d7713ea8751396900b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Guaranteed

                                          Filesize

                                          113KB

                                          MD5

                                          ad486ed247a8a8e27c4a46c8139757b6

                                          SHA1

                                          41ad8100c999133c1ad8442da32f575ef31f312b

                                          SHA256

                                          96f26c88dad7a5d48605b1b986d24fcf693b5f3d30fcc29a202f7e2ab27da915

                                          SHA512

                                          a118d4a4d2b49e29e259619497344dd0ef84cd72b885143b07ec57359a391dd8584af73d36d7a8afec11d4455aa3b70402637ebb081a4aa0261cfff5755eac52

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Homes

                                          Filesize

                                          54KB

                                          MD5

                                          809a0546476589eaee4e818e30bca5e0

                                          SHA1

                                          0567ad9b4dc58ec6076ac8676c4d400bb1e11f0b

                                          SHA256

                                          eb8fda163946f7c2d7bfc81c2d545748c423f49e8fcf17b4a05af42f9a322700

                                          SHA512

                                          76795769e7614122cdcc01262c47cbe4e7f232bd2edb0ed70437a2e9fa473181b9cf6a9a9b22872a7b27d8876d86e99c754fe5852317982e9e874eafc36db7b6

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jewellery

                                          Filesize

                                          62KB

                                          MD5

                                          a7981c10c733eac00d52617b85b06755

                                          SHA1

                                          9a6a435218affa8ec4295e2e64b08e45f09a4f8f

                                          SHA256

                                          d695d1882c9270c4a42fade6c3ed4716550af17091a4cd74c6989ac1919a4ff0

                                          SHA512

                                          7526655d847f265e55932ce93831af6bf73b8d9471a339e6cc92dd7beddfe3330527208262db1a1dc55ae4b75337d9c59899fe869590bab20911760558f552ed

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jewellery

                                          Filesize

                                          47KB

                                          MD5

                                          15131bbfd1fe299daceae3d26bf50155

                                          SHA1

                                          cc1a537764ab30dd1ccd02b7b96666948266514a

                                          SHA256

                                          9e47771a0a30217b11ef43d2d8b785d82021eac94451a14e3a0b1263afba1bd5

                                          SHA512

                                          872f826533b2c58c1f9203068bdd102c412942f6849e6dfd35504daaf74c532a1dee2ca35bc54e98a6a190414f187f19aeba8b09f4beef6b638a0baf4f5e85c9

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kitty

                                          Filesize

                                          80KB

                                          MD5

                                          03101d52a75fb99a2398fcba4ae688e5

                                          SHA1

                                          98cfb8268940bd60cdf6bfb24a30a5f86fee5a56

                                          SHA256

                                          9cbccce36a286f88967626e387ac295b6907b3669d5aa0784511dec8a5e6e041

                                          SHA512

                                          0978d188221a9b338c4d8dc06c3110de8a5f26b788021e4ed90b6f6782899461d3061e18620bb55536f6766557ff6d54c6d49759b4d32d974c409d766f1809de

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kitty

                                          Filesize

                                          78KB

                                          MD5

                                          4407aabaa0fc3cf070bb1e8b83d9fd35

                                          SHA1

                                          74f873568a9c6bc04f5742cab4ed92bc71c74f8d

                                          SHA256

                                          40641b898de09fce1557bee07916c48faee02dd65d9f66ba8e603f8c98e9519c

                                          SHA512

                                          d6f0ac26b670d09044324d0fff712960cec223a0ab44fbad8769d5a0a002beec67b23e1ee314df47378431e4f097e2e74b077534c6675082d46a7a3e2f557ffa

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Magnetic

                                          Filesize

                                          98KB

                                          MD5

                                          f6c01a9b9e3e77513489bc1bda742bc0

                                          SHA1

                                          dc6df8c31f098b789fdd22a43be5e77958b97c8f

                                          SHA256

                                          dcd7845c77fb63b78b0d2c0e14e387c6312fab8a41269673841bb76e8fc3550f

                                          SHA512

                                          5affc76efe48140746e08dcbef39244d3207c488eabc3427fb716b6c56ce5a3790a388f38fc563a23a332c367f705bbaad213cc440810bb4869dd4f989000d8e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Makes

                                          Filesize

                                          85KB

                                          MD5

                                          42eacde64ff1b221406fdc1f1b682f88

                                          SHA1

                                          b5e491daf65c58b8d964be8a515fbb8d2b2783c1

                                          SHA256

                                          04b2d94d1fd0aba93a76322b0664185736a828453770ad671d4c85e356ca68f1

                                          SHA512

                                          9431c564acab520ebeeb0e641108c79d0bdaa950bb4655c2fa45d4e41dab5a3d9a2e3cccbe7a1ab7590e27a7f12f7e83d2e944f722f929ebe7f45f8d058bb04e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Namibia

                                          Filesize

                                          137KB

                                          MD5

                                          4b52dc1da166ceb21950a00cbaec142a

                                          SHA1

                                          bea61fea47a9a34a0021df1c42609a72561da961

                                          SHA256

                                          0b15c634aec2503a973ac51b8c9e7df1b52ccbcb31c04020e809c3822246c369

                                          SHA512

                                          ea3b650b0ee3f33f3df0d1ea7bd9de3691f622b051a6b2f3f4445dfa58bd6219f05fb93be384ee9307abf31175097c71ba3ec3bc1aa17e1eedded8fda370d313

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seattle

                                          Filesize

                                          124KB

                                          MD5

                                          75e725190a03d747f4cc75c8c72b614e

                                          SHA1

                                          f3d2c5129ad614e2f4b7dd0bcebe71c1eb6e98c9

                                          SHA256

                                          43bfe25ffbb727c54b5357d9b4e97dfcbd0da708819dd5bd02b30bc6afeeb48f

                                          SHA512

                                          168bb2582b12c20502e56faf5a084ed440ba40c0d3e74aeec4d1b8dbb16a768c27b6b790d6017f78ed22b306be65456ef18bea2f813ee05d56d9eed00fcdc0ca

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Snow

                                          Filesize

                                          86KB

                                          MD5

                                          45647a079988a74af0493edeaa1fd868

                                          SHA1

                                          8092731280bd574ae0e23619846ded72aaa86786

                                          SHA256

                                          ba3e7e4bc727d21ea6a4554f7f21ec44851c1ab9584c76818733530f0c85ca49

                                          SHA512

                                          afd20508d5c1443232f4e15330d96a1b878b40db21ac14e053b9858104d603cba5769a0f9157226edced3bf5cb1580248f93d8022f86763c4c0795f2181d792f

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spice

                                          Filesize

                                          30KB

                                          MD5

                                          b68bbaaa205a6e08bdfbb96c6779a9e4

                                          SHA1

                                          398cf8f083202cb48d74a0791fac852187d758f4

                                          SHA256

                                          91e15f040ca367027e4842e2e85f3dbdf014428ba9ae62885d54124fe75d530d

                                          SHA512

                                          fe480aae66aa2ba0721ef0d762777eb6339184a825b623bcd43dee86fa5bc31c8f64f3d45a9da52a661ea299ad96a82be86899c92773b8accae6069257c1ff32

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\States

                                          Filesize

                                          145KB

                                          MD5

                                          bee64a1975f7467e3a9c530b5be5a9cb

                                          SHA1

                                          c7bfdd5a5295fcfd37a5d04950b1dad19dca3f80

                                          SHA256

                                          5c3b7a9fa2397cc80de9f1bdbe85c11fc53f7e7dda6edd8936b079dd989689ef

                                          SHA512

                                          7288d58cc0b644c7dde4d598470db31c6175fca87e7666bd5032f5b46569547866d4b4ea9900c7cd614e7b87fb8c55b84897fa0b48d5b7c0e8a37446f72007d0

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Supervision

                                          Filesize

                                          110KB

                                          MD5

                                          4dc21cd846bd9ca6d21015a030b85ba8

                                          SHA1

                                          6010cd5467f9d75b46695a4aa8407cc6f6e2936e

                                          SHA256

                                          8e29affa0895283638652b9f23c61b30aa9dda123b3271a641bb46f7e3378676

                                          SHA512

                                          154444ee9f960b927c5302c8b690ae68e35571bb670466de542ace50df5dbef2f9a22b88caf2e6e47ef45227e57248305d4a132b9c5ff47da6b4e5399e4c5645

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ti

                                          Filesize

                                          53KB

                                          MD5

                                          48854b976de62245a8824b54c5e4e14b

                                          SHA1

                                          ab6a7cd58992d8fc5faae9ff43506635b035cd18

                                          SHA256

                                          902a6c914d31bcfb40333766093f98691231e658189a130241bcf3f26ec5af76

                                          SHA512

                                          a7dbc84b2f91b4738439501d64782b28fd237190b591d4176bdee47d40e7ada1ff7d6a00ead5f81bad04a198f3c63310f53ff2052be536280c7fc5edd8182a10

                                        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                          Filesize

                                          10KB

                                          MD5

                                          069c37bf9e39b121efb7a28ece933aee

                                          SHA1

                                          eaef2e55b66e543a14a6780c23bb83fe60f2f04d

                                          SHA256

                                          485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

                                          SHA512

                                          f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

                                        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                          Filesize

                                          10KB

                                          MD5

                                          eed640164203d0d0a2a1e7919a6fdbdf

                                          SHA1

                                          9af74121e090cf2970beee82d22ef4ebb886c0ae

                                          SHA256

                                          4ca7fe712b4322fdb497733e015f4ae4496d3998772a6c37305da3cbba3eb7ae

                                          SHA512

                                          1bf6de193ae00189525ea9a685bbe3dc7722eceb6ccfb83c70adc766b6301b4978abf73b2f8f41b865f1521925308e4f96285dca569e9c2b2c61e79db1100e3d

                                        • memory/1984-66-0x00000000047F0000-0x000000000484B000-memory.dmp

                                          Filesize

                                          364KB

                                        • memory/1984-70-0x00000000047F0000-0x000000000484B000-memory.dmp

                                          Filesize

                                          364KB

                                        • memory/1984-69-0x00000000047F0000-0x000000000484B000-memory.dmp

                                          Filesize

                                          364KB

                                        • memory/1984-68-0x00000000047F0000-0x000000000484B000-memory.dmp

                                          Filesize

                                          364KB

                                        • memory/1984-67-0x00000000047F0000-0x000000000484B000-memory.dmp

                                          Filesize

                                          364KB