lumma | hxxps://www[.]mediafire[.]com/file/aa53p5z877i3e04/%2521Files-PAsw0rds__6166[.]zip/file

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 07:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/aa53p5z877i3e04/%2521Files-PAsw0rds__6166.zip/file

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://controlopposedcallyo.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 9 IoCs

pid	Process
4556	Set-up_Full.exe
5112	Set-up_Full.exe
460	Set-up_Full.exe
3616	Set-up_Full.exe
3872	Set-up_Full.exe
1972	Set-up_Full.exe
1516	Set-up_Full.exe
3980	Set-up_Full.exe
4736	Set-up_Full.exe

Loads dropped DLL 64 IoCs

pid	Process
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
3444	fm.exe
4092	fm.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
3588	fm.exe
3808	fm.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
4796	fm.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5112 set thread context of 4044	5112	Set-up_Full.exe	119
PID 460 set thread context of 1816	460	Set-up_Full.exe	124
PID 3616 set thread context of 4408	3616	Set-up_Full.exe	129
PID 3872 set thread context of 2188	3872	Set-up_Full.exe	133
PID 1972 set thread context of 3032	1972	Set-up_Full.exe	138
PID 3980 set thread context of 3328	3980	Set-up_Full.exe	144
PID 4736 set thread context of 4756	4736	Set-up_Full.exe	153

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	msedge.exe
1616	msedge.exe
2148	msedge.exe
2148	msedge.exe
2712	identity_helper.exe
2712	identity_helper.exe
4008	msedge.exe
4008	msedge.exe
4952	7zFM.exe
4952	7zFM.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
5112	Set-up_Full.exe
4044	netsh.exe
4044	netsh.exe
4044	netsh.exe
4044	netsh.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
460	Set-up_Full.exe
1816	netsh.exe
1816	netsh.exe
1816	netsh.exe
1816	netsh.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
3616	Set-up_Full.exe
3616	Set-up_Full.exe
4408	netsh.exe
4408	netsh.exe
4408	netsh.exe
4408	netsh.exe
3872	Set-up_Full.exe
3872	Set-up_Full.exe
2188	netsh.exe
2188	netsh.exe
1972	Set-up_Full.exe
1972	Set-up_Full.exe
3032	netsh.exe
3032	netsh.exe
4652	7zFM.exe
4652	7zFM.exe
3980	Set-up_Full.exe
3980	Set-up_Full.exe
3328	netsh.exe
3328	netsh.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
4736	Set-up_Full.exe
4736	Set-up_Full.exe
4756	netsh.exe
4756	netsh.exe
3884	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4952	7zFM.exe
4652	7zFM.exe

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
5112	Set-up_Full.exe
4044	netsh.exe
460	Set-up_Full.exe
1816	netsh.exe
3616	Set-up_Full.exe
3872	Set-up_Full.exe
4408	netsh.exe
2188	netsh.exe
1972	Set-up_Full.exe
3032	netsh.exe
3980	Set-up_Full.exe
3328	netsh.exe
4736	Set-up_Full.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	4952	7zFM.exe
Token: 35	4952	7zFM.exe
Token: SeSecurityPrivilege	4952	7zFM.exe
Token: SeSecurityPrivilege	4952	7zFM.exe
Token: SeRestorePrivilege	3168	7zFM.exe
Token: 35	3168	7zFM.exe
Token: SeRestorePrivilege	4652	7zFM.exe
Token: 35	4652	7zFM.exe
Token: SeSecurityPrivilege	4652	7zFM.exe
Token: SeDebugPrivilege	2492	taskmgr.exe
Token: SeSystemProfilePrivilege	2492	taskmgr.exe
Token: SeCreateGlobalPrivilege	2492	taskmgr.exe
Token: 33	2492	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2492	taskmgr.exe
Token: SeDebugPrivilege	3884	taskmgr.exe
Token: SeSystemProfilePrivilege	3884	taskmgr.exe
Token: SeCreateGlobalPrivilege	3884	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
4952	7zFM.exe
4952	7zFM.exe
4952	7zFM.exe
4952	7zFM.exe
3168	7zFM.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
4652	7zFM.exe
4652	7zFM.exe
4652	7zFM.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe
2492	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2144	2148	msedge.exe	23
PID 2148 wrote to memory of 2144	2148	msedge.exe	23
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 2976	2148	msedge.exe	88
PID 2148 wrote to memory of 1616	2148	msedge.exe	87
PID 2148 wrote to memory of 1616	2148	msedge.exe	87
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89
PID 2148 wrote to memory of 3820	2148	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/aa53p5z877i3e04/%2521Files-PAsw0rds__6166.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda6c646f8,0x7ffda6c64708,0x7ffda6c64718
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1648 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5107557168382484507,2281972521523884390,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4724 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_!Files-PAsw0rds__6166.zip\Free_Setup-Latest\!Files-PAsw0rds__6166.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4952
- C:\Users\Admin\AppData\Local\Temp\7zO853CD0B7\Set-up_Full.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO853CD0B7\Set-up_Full.exe"
  2⤵
  - Executes dropped EXE
  PID:4556

C:\Users\Admin\Desktop\New folder\Set-up_Full.exe
"C:\Users\Admin\Desktop\New folder\Set-up_Full.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5112
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\fm.exe
    C:\Users\Admin\AppData\Local\Temp\fm.exe
    3⤵
    - Loads dropped DLL
    PID:3444

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\New folder\equilibrator.tar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3168

C:\Users\Admin\Desktop\New folder\Set-up_Full.exe
"C:\Users\Admin\Desktop\New folder\Set-up_Full.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:460
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\fm.exe
    C:\Users\Admin\AppData\Local\Temp\fm.exe
    3⤵
    - Loads dropped DLL
    PID:4092

C:\Users\Admin\Desktop\New folder\Set-up_Full.exe
"C:\Users\Admin\Desktop\New folder\Set-up_Full.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3616
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\fm.exe
    C:\Users\Admin\AppData\Local\Temp\fm.exe
    3⤵
    - Loads dropped DLL
    PID:3588

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\floe.txt
1⤵
PID:3168

C:\Users\Admin\Desktop\New folder\Set-up_Full.exe
"C:\Users\Admin\Desktop\New folder\Set-up_Full.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3872
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\fm.exe
    C:\Users\Admin\AppData\Local\Temp\fm.exe
    3⤵
    - Loads dropped DLL
    PID:3808

C:\Users\Admin\Desktop\New folder\Set-up_Full.exe
"C:\Users\Admin\Desktop\New folder\Set-up_Full.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1972
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\fm.exe
    C:\Users\Admin\AppData\Local\Temp\fm.exe
    3⤵
    - Loads dropped DLL
    PID:4796

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_!Files-PAsw0rds__6166.zip\Free_Setup-Latest\!Files-PAsw0rds__6166.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4652
- C:\Users\Admin\AppData\Local\Temp\7zOC22F11BA\Set-up_Full.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC22F11BA\Set-up_Full.exe"
  2⤵
  - Executes dropped EXE
  PID:1516

C:\Users\Admin\Desktop\New folder\Set-up_Full.exe
"C:\Users\Admin\Desktop\New folder\Set-up_Full.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3980
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\fm.exe
    C:\Users\Admin\AppData\Local\Temp\fm.exe
    3⤵
    PID:3216

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492

C:\Users\Admin\Desktop\New folder\Set-up_Full.exe
"C:\Users\Admin\Desktop\New folder\Set-up_Full.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4736
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
58670ac03d80eb4bd1cec7ac5672d2e8

SHA1
276295d2f9e58fb0b8ef03bd9567227fb94e03f7

SHA256
76e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8

SHA512
99fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3782686f747f4a85739b170a3898b645

SHA1
81ae1c4fd3d1fddb50b3773e66439367788c219c

SHA256
67ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13

SHA512
54eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
500b879e42f3dc34c8cbb273adacb041

SHA1
133296b32e07f0bc8941a9a8ea8f5e5f812045a9

SHA256
b56316db776838c62e858fb90efa401e1ef2e090301d16a508dbd31577d6e867

SHA512
6fbe9cb8f04cb3ac24c7e5530a7010cd40e0006c93b43cf2a5950e4de3311918f41e0386165763f7fa156a81b649333e2993629c17b9d5311549bd148123f9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b15960c7039974fdb74b3097600b8ed5

SHA1
6aa293f0f0201d37bc956f0055880f6268340f5c

SHA256
e41f18b1a3c5cabf9249b7046c3eedcb6b2c14e0c311b0768710f8353381f4b0

SHA512
b28e960316cd709a5d3eb865ea455cabb8c8eb342d81292c86192d7d9b93dc3968cdb10682de741ea55eadc9fd407f7c861f28dfcc63e69df8a9b707beab6d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c290550e600e19090b3976fc4044ea68

SHA1
46be55f83c1818573a2559d2fe2a0bc85d8508b1

SHA256
87016a709d6990e1303bb555a9fb0d6c7cde17b17a0ef5ac1157fea5e85fc3e1

SHA512
ec7d8aa8c004a57cb0eb60aa5e25584573046ed4abfb78fd4570fe87fee291c84853049642efea4b172183980dd83bdf5023ba568dec6dbb1480c406ea77bfa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64bedfcbda3416b605d6a4521135016c

SHA1
9f7d660a58bbd39395ed7014a78ef6a5b6409fa4

SHA256
8a83dd9ff10f54b5c939623388ca445ada47c3d596bb0061f34cc5a7032844b3

SHA512
0499a90c79160119afdfc5096d99c72cf4125ba35ff904405e0456974fa6f63d611194052f67ed51a1ad116dbc6cec0f4f353d096538fa5b697d7a51c973bcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c85953c8f4054fadd6dd478eb9b29511

SHA1
9ecc4ff628da77ba3f4daa4d2b4271400a4fe8c0

SHA256
2ef9243539c822a98511f4e446ed96d6da07919d33a8762d4e0bcf1fb17bd65a

SHA512
36eb477dfe9335f02a15508baf6627e0d729102c051d386a1384f3d1068deaeb666e8dfe65a676cc199df91e64fd3d26354f6ce84a5260baac672c0457852d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
723ce17f67fbbc531f078be724892678

SHA1
9df1583010c50d936f480616948bc06dd77d646f

SHA256
541bd9c71d70b97924b16f0c63f958b67da0c51e4c1999a43e2efe1621b149be

SHA512
d8455c395c771d5b512faed65b5bf15cc401bfeea6d3e00e1c38c0bbfedb9ce48231c1ae386517e7d5294470d59ce67c3b11529d3061e6bb132e5a252711a982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77cd7bdb6eeb269d375712a88f9d19b9

SHA1
0f41a709c88b5278bc7ecba4845f249fd6e8cdca

SHA256
ac8c96bb9485807921027ca8fabe200f0eecb8dfa212f4ca7158317222c16fd9

SHA512
497c35be787e62c0d9a7db2e80b66e8e2a90adbf0b00558c63b13eab4f64e99e421b6f95ff639bbb46fdb8f93403d66e782bd9f68a5d1983426e18309e8bab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c01eddc543d9d3e3b1b04c316ffa7732

SHA1
450e5eb4019eeb1a16baddb49cf61cd4a4c90357

SHA256
7fe6792045b466059677d141e096396ed121b353392ebeee493800c18a6d5c34

SHA512
214a33f45f0f0c895a1760b342c059ebe2ee24772bffa28a5949560f28ea497218cad87e45e4aeab492e8b6e1f6032f38e49ddc344e5492b6a4778ab3316f6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b1bc2e96eb89b174bfebb95c7d685e80

SHA1
bace3a5cf55f2c5560712d205c92bc9ba9663f2a

SHA256
0218ceb360bb1e17d96985731cc0c972871435b10851286a6f61d3c0442df568

SHA512
ce97bb0daaff6dccbdef186c363baeb10a769fb27b44eab3b05ea85f46a118b84c520f5b6a0036bf501c71461c76eaf56d6272f69cc795474fedd12c843f62f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\45e8f5c7

Filesize
1.9MB

MD5
0547300f2448e239e84922b58bee8b0f

SHA1
ed66f38f880846c145fa812e30cab4ea77477197

SHA256
aff8acd4871cf18f355eeaabc74695a11e615bb9c1c83fd29f6cd9065e21505c

SHA512
4966bf0bc95782869c4c7ced8b792d93325600414a859308f8f8e90f0b08ab544550a3ef868a6dbd847fb0d4396a3e1cde0d51a8b6664a7b9c4cef7e29ad3860

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO853CD0B7\Set-up_Full.exe

Filesize
3.3MB

MD5
55076afc8f8de2df8f91fb2742bcda61

SHA1
c848bb01e859163b08ce4f58994b3d814dfdf700

SHA256
e3cb1b8edb969533e9299c4169b12df17a01d7516df943b486a785c986ceda30

SHA512
70bf3d76b86b28aa4209a51469a4b2161c4253313849217b5e1267cb17f6279235b9ed18cd975aa48227401b48887f594b3be149531750638091afc51a425d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO853CD0B7\Set-up_Full.exe

Filesize
3.0MB

MD5
5260956a85429ee303a3bf1f4bc96bfe

SHA1
90a482fb7a9f078e3cee3d8345dbb822e51a57a8

SHA256
4c8815ea9b1a96b74e6794b91c32c8b4f4947ce70b11b226a80ac140917f4476

SHA512
56f587e12fa515fbd3fd92162ee9efd63d10fc60649358389b9d454b4e06de9f2c9906d296d5f2b6e56bbd2e376b4246bd9453d4692b3c64ee8d6972a0aef8f2

Download Submit
C:\Users\Admin\AppData\Roaming\shpafact\libX11-6.dll

Filesize
1.2MB

MD5
78a16a03ca604504e880aaf991eb75e4

SHA1
48914fe6af8618e6911a0c9af52a9ee6853d4942

SHA256
1c6be2a6bbfab3194155dc74d9ed7d517ee3ed61cc14d6a62ea86bcfdffb8a04

SHA512
0f733ec29e3f4c6905f14a64d5684ce6643c24a6e89ba5d411913a438b32d9547628b22862f6bbab863636ad451a5cd4e92c7770644059c69bc667cc58d42f73

Download Submit
C:\Users\Admin\Desktop\New folder\equilibrator.tar

Filesize
84KB

MD5
f07f53569c594f04b5b15ca6dbe4b455

SHA1
0cc33a3154349fad167f56f24d768177291383e2

SHA256
6a052820e39dc91e9fbbd96f8b5b2180d63266bf156dd3d2dd94af98294c715a

SHA512
75ff71afc83d2b499bcea82034691d1d9707c6a525e8ed24f7469934b7a1fbd607cc8e0a36dc1ebe58c97706dbc8cf7052a4aee49858caa5b18c04cb9486e2bf

Download Submit
C:\Users\Admin\Desktop\New folder\floe.txt

Filesize
1.3MB

MD5
3e81b9e7ec91b765697b9ec13e8b7d5e

SHA1
b58e0ed59a8f00afabf06bc9b437dd9f87fad5ea

SHA256
3c004db3f2a28717b90aa93aceb54b4ae9cc58e2872097faea676b3831037426

SHA512
e426e195483c1ffd813717a061f8272ee3dd07df961328be57387413b2900bfa1dba9dc537c5a272a0a81e1bfdbcac4de2a42f88bfdbae9e8d3a8688b33b8e43

Download Submit
C:\Users\Admin\Desktop\New folder\libX11-6.dll

Filesize
1.2MB

MD5
3cd9af46753f2a618d15157372d0d2bc

SHA1
f2a1781b1a6d33338db4d9725b28f15d8a410903

SHA256
497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628

SHA512
925097106554f6eac698ba933e32fb82c1405c7ccfe284b27f1558e9ab46139506b1e981721aeafaf2e0d595dbdfce3587c4056c6920fdffb0b2f2bdbdcdb38d

Download Submit
C:\Users\Admin\Desktop\New folder\libXau-6.dll

Filesize
20KB

MD5
b6f0655bed934503621fcf94ba449a19

SHA1
f0a5d9eefff5f3bcd2e23b9db748c50cffc1c6e8

SHA256
0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed

SHA512
77a10ae1748e5d76288c59933f3f41d4dc7a690b1f2bc9bff0b761f9f2c5331f868dc0259ffe4c4672e1806c33f3f9d0fe0a8b09b10e06333d2590f623c5b284

Download Submit
C:\Users\Admin\Desktop\New folder\libXdmcp-6.dll

Filesize
28KB

MD5
7d4f4d3bc6ab6c3ea2097a7ecd018728

SHA1
2434fbad089ac85eda43c0b0e911ab437b4dfe63

SHA256
7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba

SHA512
f9b64cbcd7c7c7b4e942c3da74fb280762d038f974fc23d1e0431b15787aefc87464cda121aa8fccf499af46e345dd65aa5fb5cfee1cb45dba6e5dd79b01a1d8

Download Submit
C:\Users\Admin\Desktop\New folder\libdl.dll

Filesize
17KB

MD5
ed925bdab51f49813686b62eb82fb4a4

SHA1
bc7c742b92a5b47089e0b400a8a80bb217e775fe

SHA256
e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62

SHA512
5be99a6b0e2091fe37ff50d5a9c4fa789db27b5ba108801e4d18e99ae584ae1bc91ba3339916dff8a323155815e660f43ca54ffcc7c14c1e3f90600aedb54bd8

Download Submit
C:\Users\Admin\Desktop\New folder\libgcc_s_dw2-1.dll

Filesize
114KB

MD5
d35376c0d447108b2f9d64d4c40014f8

SHA1
c68129e8bf6cdaaa318c5aad8974efbc2b7ce39a

SHA256
c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225

SHA512
c46af0bbd3bca6e12125750a5b1ca4f17f85f84729b1c1c01ee76de3704bcdb090212202cf449458833f8ee92e9a46c8758cbd069747de534e2984dccbe9f24d

Download Submit
C:\Users\Admin\Desktop\New folder\libwinpthread-1.dll

Filesize
96KB

MD5
e40b7acdd7654c071b0f2c17eb91fddd

SHA1
6f7f65cacb44a378169cb9066099dccf96f51426

SHA256
b53329b607a4af6d59ce94c2ef79abad5bea6ff7045f53af721f5ca09e6f5840

SHA512
dcdddf8601e733947e76c6c5dca0cd7ffd2eb373ef771e43d411da3ee6d3da40f0a8f34e7599a3b7a6399fb4ee26d501d86acb08b889acc07e95a9a1d6b17a4e

Download Submit
C:\Users\Admin\Desktop\New folder\libxcb-1.dll

Filesize
132KB

MD5
a4212be49e5ce8f3bf3950ca32c4bf14

SHA1
53f8e986e5fa3844eb73f063ed01772b53bc2504

SHA256
394d2d862f2ddce71f28d9b933b21a7d6c621c80ef28652574f758f77f01f716

SHA512
74520d3b3749d2b61e8a970c1fb29c588f98ce477eac4ced8837420153a6e739303aca15ed7d1e070125afa7f3ee32e452815ef1af135f8ed39ef2fce9d333ab

Download Submit
C:\Users\Admin\Desktop\New folder\libxcb-image-0.dll

Filesize
25KB

MD5
a3718d24f0e6eae9d6121a1219381ae9

SHA1
a3377f64d8fb6162f6280d3d924626c1fc6a2fe7

SHA256
cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327

SHA512
43f9c760be222490d43cbd9589b4afbc64759919993a1957a13a753cfcc9d94059dba0b5400a745c377c7bea1f02f4f8f6f952bee5b7ed33f6a49efaec62e9f6

Download Submit
C:\Users\Admin\Desktop\New folder\libxcb-shm-0.dll

Filesize
19KB

MD5
557ed85a1d8a3308e552a77a9902e8cf

SHA1
a9acf7a1db500a734e95038b29c0bd90f7af59e7

SHA256
e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef

SHA512
110acfc0b886a1ff77b5452e2f813213630ba2eb4610e06942a59da78e516e05893b049c0d1ddcc077ebabb3a9490cf84fb41f31b62822c9365b60a1b38fd4b8

Download Submit
C:\Users\Admin\Desktop\New folder\libxcb-util-1.dll

Filesize
23KB

MD5
ee6788d3d3750421e01519a27f86634e

SHA1
48f4c7dc7bd1208f07e4176e78f035d36682d687

SHA256
b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60

SHA512
12ef0ac4cf9c8461044317e693bcfabdb4beb34a222b635ba50f6652b5a91b92ff20cb19e916ac60dca3e8314b7d8cec710a1c730374bb8f260b8d94f57c9775

Download Submit
C:\Users\Admin\Desktop\New folder\zlib1.dll

Filesize
90KB

MD5
7e507af32ca219d2f832cf8d90ca805b

SHA1
4eb56c6f4184efc5a6bb5c7cab46547cfa769744

SHA256
3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57

SHA512
d19c6a0a0798db42490631aa9e30da4200e0b687250daa5ec8bcfe68ae2589a523adeacb6c77544488ddc7610fa84be7477a92c2a27605537a0caec2449c87f1

Download Submit
C:\Users\Admin\Downloads\!Files-PAsw0rds__6166.zip

Filesize
2.9MB

MD5
15d4403315ea70d9c1ce1a58ba26c908

SHA1
9ed7eb44696fd6131a702151763a215288f12d39

SHA256
23bc283c7eb575d21eab5d9d34e429d461f3922af6ae6a631b016354d5c4463c

SHA512
d1fb1e5153dc3fc3db45044b2485a4bdaed42c247edd201c181628a2df312f205f4334b9ab90a855ffcc69f6a7bb65c4274983c0c97ad4f28b6444e0960ee36b

Download Submit
memory/460-298-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/460-309-0x000000006DBD0000-0x000000006DBDE000-memory.dmp

Filesize
56KB

Download
memory/460-273-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/460-314-0x000000006DBE0000-0x000000006DBED000-memory.dmp

Filesize
52KB

Download
memory/460-311-0x000000006DBC0000-0x000000006DBCF000-memory.dmp

Filesize
60KB

Download
memory/460-313-0x000000006DFD0000-0x000000006DFF3000-memory.dmp

Filesize
140KB

Download
memory/460-312-0x000000006DAB0000-0x000000006DACE000-memory.dmp

Filesize
120KB

Download
memory/460-308-0x000000006DBF0000-0x000000006DBFE000-memory.dmp

Filesize
56KB

Download
memory/460-310-0x000000006DC20000-0x000000006DC48000-memory.dmp

Filesize
160KB

Download
memory/460-272-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/460-307-0x000000006DC50000-0x000000006DC5D000-memory.dmp

Filesize
52KB

Download
memory/460-306-0x000000006C370000-0x000000006C4B3000-memory.dmp

Filesize
1.3MB

Download
memory/460-305-0x000000006DDC0000-0x000000006DDE0000-memory.dmp

Filesize
128KB

Download
memory/460-304-0x000000006E010000-0x000000006E02C000-memory.dmp

Filesize
112KB

Download
memory/460-303-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/460-301-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/1816-317-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/1972-457-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/1972-473-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3216-606-0x0000000000E30000-0x0000000000E62000-memory.dmp

Filesize
200KB

Download
memory/3216-605-0x0000000000E30000-0x0000000000E62000-memory.dmp

Filesize
200KB

Download
memory/3216-602-0x0000000000E30000-0x0000000000E62000-memory.dmp

Filesize
200KB

Download
memory/3216-603-0x0000000000E30000-0x0000000000E62000-memory.dmp

Filesize
200KB

Download
memory/3216-604-0x0000000000E30000-0x0000000000E62000-memory.dmp

Filesize
200KB

Download
memory/3216-601-0x0000000000AA0000-0x0000000000B9B000-memory.dmp

Filesize
1004KB

Download
memory/3328-558-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/3328-539-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/3328-570-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/3328-555-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/3444-326-0x0000000000D80000-0x0000000000DB2000-memory.dmp

Filesize
200KB

Download
memory/3444-331-0x0000000000EF0000-0x0000000000F3B000-memory.dmp

Filesize
300KB

Download
memory/3444-325-0x0000000000D80000-0x0000000000DB2000-memory.dmp

Filesize
200KB

Download
memory/3444-328-0x0000000000D80000-0x0000000000DB2000-memory.dmp

Filesize
200KB

Download
memory/3444-327-0x0000000000D80000-0x0000000000DB2000-memory.dmp

Filesize
200KB

Download
memory/3444-329-0x0000000000D80000-0x0000000000DB2000-memory.dmp

Filesize
200KB

Download
memory/3444-315-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/3444-316-0x0000000000EF0000-0x0000000000F3B000-memory.dmp

Filesize
300KB

Download
memory/3444-324-0x0000000000D80000-0x0000000000DB2000-memory.dmp

Filesize
200KB

Download
memory/3444-323-0x0000000000AA0000-0x0000000000B9B000-memory.dmp

Filesize
1004KB

Download
memory/3588-434-0x00000000015F0000-0x0000000001622000-memory.dmp

Filesize
200KB

Download
memory/3588-432-0x0000000000AA0000-0x0000000000B9B000-memory.dmp

Filesize
1004KB

Download
memory/3588-433-0x00000000015F0000-0x0000000001622000-memory.dmp

Filesize
200KB

Download
memory/3588-437-0x00000000015F0000-0x0000000001622000-memory.dmp

Filesize
200KB

Download
memory/3588-435-0x00000000015F0000-0x0000000001622000-memory.dmp

Filesize
200KB

Download
memory/3588-436-0x00000000015F0000-0x0000000001622000-memory.dmp

Filesize
200KB

Download
memory/3616-375-0x000000006DBE0000-0x000000006DBED000-memory.dmp

Filesize
52KB

Download
memory/3616-372-0x000000006DC20000-0x000000006DC48000-memory.dmp

Filesize
160KB

Download
memory/3616-346-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3616-347-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/3616-371-0x000000006DBD0000-0x000000006DBDE000-memory.dmp

Filesize
56KB

Download
memory/3616-362-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3616-363-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3616-365-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/3616-367-0x000000006DDC0000-0x000000006DDE0000-memory.dmp

Filesize
128KB

Download
memory/3808-480-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/3808-475-0x0000000000AA0000-0x0000000000B9B000-memory.dmp

Filesize
1004KB

Download
memory/3808-476-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/3808-477-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/3808-479-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/3808-478-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/3872-394-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3872-409-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3872-411-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3872-395-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/3980-551-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/3980-535-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/4044-254-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/4044-257-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/4044-300-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/4044-258-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/4044-242-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/4092-336-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/4092-381-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4092-392-0x0000000000970000-0x00000000009BB000-memory.dmp

Filesize
300KB

Download
memory/4092-378-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4092-380-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4092-379-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4092-377-0x0000000000AA0000-0x0000000000B9B000-memory.dmp

Filesize
1004KB

Download
memory/4092-361-0x0000000000970000-0x00000000009BB000-memory.dmp

Filesize
300KB

Download
memory/4408-382-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/4736-589-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/4736-621-0x0000000075120000-0x000000007529B000-memory.dmp

Filesize
1.5MB

Download
memory/4796-512-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/4796-516-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/4796-514-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/4796-511-0x0000000000AA0000-0x0000000000B9B000-memory.dmp

Filesize
1004KB

Download
memory/4796-513-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/4796-515-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/5112-246-0x000000006DBF0000-0x000000006DBFE000-memory.dmp

Filesize
56KB

Download
memory/5112-253-0x000000006DDC0000-0x000000006DDE0000-memory.dmp

Filesize
128KB

Download
memory/5112-248-0x000000006DC20000-0x000000006DC48000-memory.dmp

Filesize
160KB

Download
memory/5112-252-0x000000006DBE0000-0x000000006DBED000-memory.dmp

Filesize
52KB

Download
memory/5112-247-0x000000006DBD0000-0x000000006DBDE000-memory.dmp

Filesize
56KB

Download
memory/5112-251-0x000000006DFD0000-0x000000006DFF3000-memory.dmp

Filesize
140KB

Download
memory/5112-245-0x000000006DC50000-0x000000006DC5D000-memory.dmp

Filesize
52KB

Download
memory/5112-250-0x000000006DAB0000-0x000000006DACE000-memory.dmp

Filesize
120KB

Download
memory/5112-244-0x000000006C370000-0x000000006C4B3000-memory.dmp

Filesize
1.3MB

Download
memory/5112-243-0x000000006E010000-0x000000006E02C000-memory.dmp

Filesize
112KB

Download
memory/5112-240-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/5112-238-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/5112-237-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/5112-223-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Filesize
2.0MB

Download
memory/5112-222-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/5112-249-0x000000006DBC0000-0x000000006DBCF000-memory.dmp

Filesize
60KB

Download