lumma | hxxps://mega[.]nz/file/AXMB2RAY#YrP3-be2t5yjaJ-TpWBlRPlLc_xGz_ZOHIrKXBYBXKg

Analysis

max time kernel
269s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/AXMB2RAY#YrP3-be2t5yjaJ-TpWBlRPlLc_xGz_ZOHIrKXBYBXKg

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://unwielldyzpwo.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 6 IoCs

pid	Process
1752	Setup.exe
1296	Setup.exe
3940	Setup.exe
1776	Setup.exe
1616	Setup.exe
3496	DirectoryMonitor_[1MB]_[1].exe

Loads dropped DLL 18 IoCs

pid	Process
1296	Setup.exe
1296	Setup.exe
1296	Setup.exe
1296	Setup.exe
1296	Setup.exe
3940	Setup.exe
3940	Setup.exe
3940	Setup.exe
3940	Setup.exe
3940	Setup.exe
1776	Setup.exe
1776	Setup.exe
1776	Setup.exe
1776	Setup.exe
1616	Setup.exe
1616	Setup.exe
1616	Setup.exe
1616	Setup.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1296 set thread context of 640	1296	Setup.exe	120
PID 3940 set thread context of 1528	3940	Setup.exe	123
PID 1776 set thread context of 4860	1776	Setup.exe	126
PID 1616 set thread context of 1140	1616	Setup.exe	130

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2990742725-2267136959-192470804-1000\{0F1BE5F3-2241-4080-BB8D-36625986F7A4}	msedge.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
2108	msedge.exe
2108	msedge.exe
1212	identity_helper.exe
1212	identity_helper.exe
4100	msedge.exe
4100	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1296	Setup.exe
1296	Setup.exe
1296	Setup.exe
3940	Setup.exe
3940	Setup.exe
3940	Setup.exe
640	more.com
640	more.com
640	more.com
640	more.com
1528	more.com
1528	more.com
1528	more.com
1528	more.com
1776	Setup.exe
1776	Setup.exe
1776	Setup.exe
1616	Setup.exe
1616	Setup.exe
1616	Setup.exe
4860	more.com
4860	more.com
4860	more.com
4860	more.com
1140	more.com
1140	more.com
1140	more.com
1140	more.com
4776	msedge.exe
4776	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3420	7zFM.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1296	Setup.exe
3940	Setup.exe
1776	Setup.exe
1616	Setup.exe
640	more.com
1528	more.com
4860	more.com
1140	more.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1832	AUDIODG.EXE
Token: SeRestorePrivilege	3420	7zFM.exe
Token: 35	3420	7zFM.exe
Token: SeSecurityPrivilege	3420	7zFM.exe
Token: SeSecurityPrivilege	3420	7zFM.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
3420	7zFM.exe
3420	7zFM.exe
3420	7zFM.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4100	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1428	2108	msedge.exe	82
PID 2108 wrote to memory of 1428	2108	msedge.exe	82
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 1568	2108	msedge.exe	83
PID 2108 wrote to memory of 3528	2108	msedge.exe	84
PID 2108 wrote to memory of 3528	2108	msedge.exe	84
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85
PID 2108 wrote to memory of 2632	2108	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/AXMB2RAY#YrP3-be2t5yjaJ-TpWBlRPlLc_xGz_ZOHIrKXBYBXKg
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2da946f8,0x7ffa2da94708,0x7ffa2da94718
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,4216204028136489112,8669507514594544679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328 0x324
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1924

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__25907.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3420
- C:\Users\Admin\AppData\Local\Temp\7zOC5D88169\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5D88169\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe
"C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1296
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:640
- - C:\Windows\SysWOW64\SearchIndexer.exe
    C:\Windows\SysWOW64\SearchIndexer.exe
    3⤵
    PID:4348

C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe
"C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3940
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1528
- - C:\Windows\SysWOW64\SearchIndexer.exe
    C:\Windows\SysWOW64\SearchIndexer.exe
    3⤵
    PID:3052

C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe
"C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1776
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4860
- - C:\Windows\SysWOW64\SearchIndexer.exe
    C:\Windows\SysWOW64\SearchIndexer.exe
    3⤵
    PID:5036

C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe
"C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1616
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1140
- - C:\Windows\SysWOW64\SearchIndexer.exe
    C:\Windows\SysWOW64\SearchIndexer.exe
    3⤵
    PID:3548

C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Config\DirectoryMonitor_[1MB]_[1].exe
"C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Config\DirectoryMonitor_[1MB]_[1].exe"
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\Config\_conf.txt
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
69KB

MD5
7d5e1b1b9e9321b9e89504f2c2153b10

SHA1
37847cc4c1d46d16265e0e4659e6b5611d62b935

SHA256
adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af

SHA512
6f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
41KB

MD5
ddb12152235627d79d91205d518ca3b8

SHA1
ffb693be91d5489410e1e3df1026c8696f54aace

SHA256
8280f3b8757419a41cfc842bebb61cd15e98aebd64400cd4075e7b4a7af9231f

SHA512
478d4a236fa688ff043abd63f2cd18d42cef48be1b6a78e46f5d48dc666f68e8292a0dcdcfa9172236307ba62052d7ad50970cdb5afd3a137c38896ec2b15a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
1.2MB

MD5
32f58aaf5a515bdbb3d13f72879d2bf0

SHA1
1742585148dcce5d9a85464fdc5b25f394e4736b

SHA256
b2be2096fe98a9b55d92512ae7859e8ba6a54be03afd7eb454b220f9ed888ec8

SHA512
28c693e9a85da7cd7441209c60c4da4b9b6b7da7555c86c2039387b470c453a474a07597069959cccc2840360f76dbb307f88a77e52248adcf8de71ab99cbe19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
6823ca34104db2db3d687df0a13cb41c

SHA1
b7c5cc2702a811dabc548965929ef9c32e8feac2

SHA256
7cc3d5d41b62858af2e26ee0e18e5f72f021037ab8d4c4889c50024a0a07f2ad

SHA512
b88d847e7cca27402305e8683ab76b0124ad58ace18f85c45aaa89f284b76fc24fbb855bff4ec70ac0a83d6762bb7dae1303a37f6e5cd6e2e01c6385b42d0670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c8964cd068e61708c7d7daab55320793

SHA1
44385acb223012d6d908ad8c2a91914b012f840b

SHA256
c9513e9ff17c06f1203b91d6b996ee065dea10a1a98df56084e2eadb00c9a6dd

SHA512
10fe5a921d4733791633e6e9d7514a2cf5640879a280fbd26bf5c713b08ae55e549ffca35f27f527a9973fb2f4d18ea15934bd9fbda06d282e813a90bcd2b525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
4f460e2e79c5d76efe46ee6808ceeb40

SHA1
c5c586773409f90f35e400749a8f2a6b3ee17e04

SHA256
f1ce65ba654dae0213ef0098b6a71632bfdb172b6a2e8b058f58ea9847a98816

SHA512
22c0e86d313bfcf8298a3ee51406d724c6ac8f269612101808504ac45ad2fd84d1ddb6ef034430dd4aa880943e5adc20dce5774be5ba4306939f47a8f04f5c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b2cd14e21fd645f164e7079d3f1b3a14

SHA1
113f5fc341a7b00d1d1f619712d7432c97aa99b0

SHA256
29b46a73b56118efa045cfcfd3164e0ce106ad7a078f5ab8361efedf4cd890ae

SHA512
6cf28631e86dab3ff61286558ece0e1163f270f5c113a822a52511edb231ad0bbbd4bf72e5fff58c7ee9d18ed361c031e52dd40d4068e67be32df54616155c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c4184cdb3a637f1f193c4c65938bc52c

SHA1
9cf84222af2c3c2ef915c88292463697da1dcdf3

SHA256
d90919dc1f2c3f8fffb70083e71446e9fb779006b83c11e4f5579856a2089083

SHA512
1fd97aa2fe670297ae0e971dbb6d75eb24604b1e5c57108c8b2d8ee9ec6824cd31259b077a9f26e472c3aa0169ab7ec6d10c4c8b7439db6c18631ec2aa3b81b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fabfde5e9261826d1308240c491ec85a

SHA1
c83b9def90d92b6babd9ac629c04363b23329754

SHA256
37c5941acd791205c996a9e333d25feb56f7324a69ea10d211c250efe6787906

SHA512
c96a7f166a97ad8321c0427fdbf5352140342923fa84f43f56f3c12e63a20b4719843d32baa926bcf2154de376e89a1a3ee5a58177f2e161f3cf1c3a438ba4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
39302f12292a3adefbb4631e5ee28267

SHA1
37dcb82581a074004cb365bd44db393d8014eb2b

SHA256
5c9a0730d6ee7f284bc36b78f1369597383cd193a3b6b3a4ee67f44fe9948510

SHA512
e3a481fbfb2a70cc2ff3f56f85a9927a9fc790bc8b38b4a1dd93fc2793482610e4df38992656f5c2618c3af8c032f7d951b6d1970f3b21d8eabb5b9e720f22b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
03c8a92ad074c12dcdb40d2fe877238a

SHA1
c6846723f20c2f21dd7a6b65462ac69b8ccf4122

SHA256
34d522856ed40f418cd125bc9837957cad8fd8dfc67f02ae1b27c718c6a0ed13

SHA512
370e3d056e1a2ce780e4f20abe30c832f9f89b1d6ea24dc9475ef7e2532dbca66c2161d6f7e80554c3d7dd3535df591961523b9562d4431be9d5272d7432ccf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34d85430555fbdbe106b0effea80ae76

SHA1
cb71659272c62c59927bbf0c04d7094b148f9684

SHA256
b21d69aae936147b589d4556a26fb6c725fc885f207f289c11302045b68fac01

SHA512
626de59d6e2f17b1f86f2b33484a8ba036d2ce0eeee5e1b2a94a2024220a747d36b1036db412dd9b359349e7380fbf924eb20a0a3e03a5c3670e9077845ada67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e6917e4b7711f0076a079749bfe7113

SHA1
2de41ea0964f03ca7833006f1bfd720b042a0276

SHA256
34997fceac34110409ae9600604dd815c2c540a5094d81d5fadeeb901b872dad

SHA512
7d726d630cca449a7eefe4b2b13e564404b8d2d9aa00ad5aebe6fea07b78a22d8e3cf63a54fdebddd39fbd08f5ad7e567cb6cbdb9389c96dca4b02aa78f6ac6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7f9105b2a9ea0f3308bf45ad24dd17ea

SHA1
03b2f3ee2eae07ba3d8da28aa0f954405d3f6f8b

SHA256
23da9657dae7fb3f909b4947c2cec7ee275b3f49f1c749c6b6171ba71d7bf3da

SHA512
9723f57dc73cf8d6ea4f586f5688b3522f9c9c0945b9c74445102d09e2a7e8413ba3373212343eb1f2f5bd9dcfa06529e2ff0a092405d507fd00901bad5dfe71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8e6b525bdc2f71c7997b7a01b4e6ef72

SHA1
6e86cd02d473116151ae12b2eee35164c4bde794

SHA256
6f779ee8a1c782823be675723cccdaac35404b1c7f846778c770bb7f23b7fbbd

SHA512
851c2720bf93846d9850903e4d6def28d9081c125366bcd715e9a3a32ead90904c751acbf66a132adc62a330e76cdfae35a66bd50a6699de22552a1939bb08b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
83a505a9cf9c7d9d7c515cc43f673124

SHA1
3ab11f99a6954d13e2576c41a31ee39c1e33bf71

SHA256
5b61e63bc50cb4dbe0f66315c684d7c76c6769de9f0d9e39230ca54c9a5a4bc5

SHA512
95809cade88105bf20219f39be67e73059dcaa722730dd94a713e8e946fd0746732b02f632a1f4c22c92742c3ce6137cae925f22b268feeff6f173f1268f489b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5805f6.TMP

Filesize
48B

MD5
7da9e1a21a80b31ec7b0cadaf8ab7a6f

SHA1
3bc541a3b11ea30e7837638be938b0d077322dee

SHA256
5ed351e8bbad675f400e2201bd22e7e805d3efa58f973774773be3e95669ef3e

SHA512
dc5c1cc71973ea2240f87deaff99f6aac6674d7be8453f6562ebb8b17fe12f5a5fe664809fa30d62953fc392786fc84449a1d8cb336e9430464c7f4850c342bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d1303c98da95d3e506463380a839b7ab

SHA1
a2442fab72734308d25488a2bbf22f054a360c21

SHA256
81a0a940143efeaf499d3fa98efd1c6a8ecb7bdb13fb2dbdf123c06496741317

SHA512
222bdc7f8c60515e56e70f6290a4c3d3bc886a2edcb62f7af43e8fbe0e6ff1678786cf923bb46d1d8525ad436e862316e0fae9daa43573097af5abb51b0773cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c92171d7a8dad6ad60d05ac6666cf42d

SHA1
ba009baecc7d76e6f23b2c988f7091dec593e256

SHA256
f260e5867a55110fb161c2554fbf9c9928f33a8cefc5628e4c69ef4c2119aed6

SHA512
1e641ed18f0fd30abe2ae4ccf81f4c71d1c7f9c942322edc6a1650824ca09abd3be36c1e1ed427eae22ecda6ff53b38efb3280c164cd314b575b05c6bb7c854f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b9f2f72b14e2d2766dd3759a612d2458

SHA1
59348472dc6d25335d0cc5ed9c52aad3cd8e620f

SHA256
3d16c854fc3c4ff51419acf39efc344081ad48ff8846114ef98ff19d19d029f3

SHA512
fab7e13592ca5fd6deac59ee400ea4eb8edba7e8f5b35dbb9e432d48f9f86dd2c9577adc9caa9258db0f491003f11ba96be398c004552891fc52e58df6730cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
694e6bf515d54d7eab9f6aea1a09dc1a

SHA1
c8f4eee2c1f8ce5b2828b85458f8cfb0d5d718bf

SHA256
9dbcd4b089364e43221a101d660ca7b074cf02c30e2dc59d34a90c1d8d31a26e

SHA512
2b072f3f6b4b6800a964e5eea3d05f4025e8f7165956b83b08dff5e1fd3f4f189175a7be5a6909de9929491598ad33c911aa3936e93a3a0513c8ac74917e86b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a6f36.TMP

Filesize
203B

MD5
c0e8b41d7cd706ef697848b564cc58de

SHA1
5e55b17c2d1d5100fd639e515bfef29d029a3836

SHA256
3a545792d63ceb811101fc4a9a35a2aa0d6a9099290b76f0aaa2bc2be6149668

SHA512
22c129bf7b014f4e1632b67f10a08be4d5cd3b2ee80f9b832d35c876c25731985aa63b471202887e7ddcab508807ae54962d122d65cae8cd6dea6dddb3df1360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71ff10b153975da943b7d1302de695e1

SHA1
8b6f2e28e467fb6bcc6d61df178848126e523403

SHA256
00640efeb27849a983327726486ca976e16e90e18b534752703564acf81b5f69

SHA512
4ba9d50c0cd262ee660b1f04e26baf1bef034909ac9f5e5fba04c022f92df9786f3de59430a5dfda3a680c69dced57afc7411c7e18702460c994ea0336355ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a4222b881d5bd8bedab5efbd32fc05a

SHA1
9dc5f6a19958500fd6f489ca1e6c0f66a6243702

SHA256
3213b0e5b430fa0517f458dda5fb343bf1cf20c836c5e2bedd9a98e76a919b72

SHA512
8f59b573a0af4cef365e26518a0326104a994bccea482a67a806a41f0581e2118e3972daea1da9ef614bb9423c74909001bdb6fa8ce1e97dd5ef74b26e8203dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cf9be72

Filesize
1.0MB

MD5
9c79c75fa87c0927f3196763dbe47c76

SHA1
b9fc76de8fcf0ea99418098079b6a2c617e9039e

SHA256
503a02b2ab6e569f58b14d1420fd2a66db78fbcbecc2d441e883a6a6b01eb81f

SHA512
ad2d0f17968bb8bb9c4aa9d136a18ee99e2c4fda2b2b8b8a8434746d91092f8ca9e968ed907ede90be8f9ddee6aedffd00baed0b11eb9ec3079780789435a1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cf8e96f

Filesize
1.0MB

MD5
a0e21cab0e35dd82f4f72267b78d3945

SHA1
7e7887021d809a0e32d3fda4488ba26b9ec7ef9b

SHA256
192addbef7b94d0b946a928e4fcf03304d2e4ede80c9ea1913f0d5e2f5a405e6

SHA512
6373375d01f10579487c8b9c2338cbcfa7b1187cfb36a33127a7646c454876ac5b3731896726e4d8798c862a0617fc0a080e33f966b47665e9867faee1bce851

Download Submit
C:\Users\Admin\AppData\Local\Temp\6560a715

Filesize
1.0MB

MD5
06e87975590c2f496f93c69cd81e9c23

SHA1
8fd1c4d5a1bd053d8b8d21dfe4f4981ed41f6d46

SHA256
6e67c1e4566776617e280e6b9b995a605ad4da769976fbc10ecfbb89d770fe30

SHA512
8b48c2f8aed381926218c21019c4685c6f6a148f86675e15a31a519688b81223654ec849f0805ecab7d076d2d7aa12027cdfd6f530ee7fe46236f90bcc012d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC5D88169\Setup.exe

Filesize
282KB

MD5
37668418edb0f30c6f38d08c5ef319b7

SHA1
72d173273dfc9a5cf0661ece8e6d90c602679ba2

SHA256
4a7930a7130fe7c3c9822d90517e873e3e477c9a6978d096f740dc5b03770365

SHA512
9c5c0c3a095824c51c349487c2366e4dcd1f3602082627296ac06569b72e28ef1d976f8b3ef8df30a81d4483c3220cbb6ee429f7ad4633d8692b9bf3f4104fd9

Download Submit
C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!.zip

Filesize
5.3MB

MD5
5ee1a91bb16f43dd51c9b6b9833dc23a

SHA1
e819be038460fc3e73fa2266764ba644a41486ca

SHA256
ba4c332b39812241e314c347e0f4f437dbfca4fc0b31986c9d1fc11cfbde5e25

SHA512
c99b9133c4cb17b96d8319b697ef385b5be591fcd9e7b8127b1e0c4511f17840616f277050d9754e976222e5245d2bcf897c0457dd69d0fd7c65995c2a0921c1

Download Submit
C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\lalapalooza.indd

Filesize
835KB

MD5
000d435e4e6f05c2ae05f442de9f6e08

SHA1
9b1d0b156aa2feb1f119a866ac5f6f5e025c8537

SHA256
8c09617fe6ddcd3dc856163f732e3502fd84fda83af50e867f56b77ecfcc9978

SHA512
7f1f93731262261f7da7219c2fe49ab321b8529f230d99d4536a2ea7ec4d45b1e54dc3c4545c0fd9074f9ac3fade93b2b8e164d0bee26915c9e4ec9b24be7afc

Download Submit
C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\mozglue.dll

Filesize
834KB

MD5
3db878c40dcabb21abc9a2bbbd5eb842

SHA1
791ad5ebd242b487af20a8170739e6818eefa617

SHA256
c902706c45b32a1c630520d033bc1723c4b1f8fd6564367e87680d765547b0ab

SHA512
519a0c01f19481f687b0e4ab1114c2fa8fd035530b7f6ea89c1163a4919598942077c98e39b3a74465c97f72349ec6a7e3874486480589d78729587f089feee4

Download Submit
C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\paranymph.raw

Filesize
75KB

MD5
17e1a0d2b6b3aa0cf0b726419b2ade2c

SHA1
fc63cedec99985d9a8e47c14d8f91340d1189e78

SHA256
9d5669961e9491cd828f60a8016dc017383ce716dc5422f5dc8faef17a28332d

SHA512
4bfe688f96caa932eb34767029a11518a02b61c6d05d9816a23d52d72449ce64f32af56c272585861f2a56d69c4671ddf3e3e11e9d0cb0310fe9375968ccc5f3

Download Submit
C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\Downloads\!@ŜetUp__25907--Pas̈ᶊW0rd!$!$!\New folder\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
memory/640-340-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/640-365-0x0000000076120000-0x000000007655C000-memory.dmp

Filesize
4.2MB

Download
memory/1140-398-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/1296-308-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/1296-315-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/1528-343-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/1616-371-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/1616-385-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/1776-349-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/1776-362-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/3052-403-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/3052-400-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3496-405-0x00000000005F0000-0x00000000007E0000-memory.dmp

Filesize
1.9MB

Download
memory/3548-657-0x0000000000FA0000-0x0000000001007000-memory.dmp

Filesize
412KB

Download
memory/3548-426-0x0000000000FA0000-0x0000000001007000-memory.dmp

Filesize
412KB

Download
memory/3548-422-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3940-337-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/3940-324-0x00007FFA3C130000-0x00007FFA3C5A2000-memory.dmp

Filesize
4.4MB

Download
memory/4348-402-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4348-399-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4348-413-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4860-383-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/5036-409-0x00007FFA3D1F0000-0x00007FFA3D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/5036-425-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download
memory/5036-411-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download