eternity | hxxps://mega[.]nz/file/WRFGxJKY#6CMUGnvejNik6PiitK_L_Du9NdMrvDVbCdl_mW1XZR8

Resubmissions

27-07-2024 16:46

240727-t9367asapb 10

Analysis

max time kernel
438s
max time network
444s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/WRFGxJKY#6CMUGnvejNik6PiitK_L_Du9NdMrvDVbCdl_mW1XZR8

Score

10^/10

eternity discovery evasion stealer themida trojan

Malware Config

Signatures

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00090000000233e1-503.dat	eternity_stealer
behavioral1/memory/416-504-0x0000000000170000-0x0000000000F20000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Lucifer v2.0.9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Lucifer v2.0.9.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Lucifer v2.0.9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Lucifer v2.0.9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Lucifer v2.0.9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Lucifer v2.0.9.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Lucifer 2.0.9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Lucifer 2.0.9.exe

Executes dropped EXE 6 IoCs

pid	Process
416	Lucifer 2.0.9.exe
4472	Lucifer v2.0.9.exe
2852	dcd.exe
1224	Lucifer 2.0.9.exe
2532	dcd.exe
4200	Lucifer v2.0.9.exe

Loads dropped DLL 5 IoCs

pid	Process
4472	Lucifer v2.0.9.exe
4472	Lucifer v2.0.9.exe
2036	taskmgr.exe
4200	Lucifer v2.0.9.exe
4200	Lucifer v2.0.9.exe

Themida packer 45 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023578-511.dat	themida
behavioral1/memory/4472-522-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-524-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-525-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-523-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-528-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-527-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-531-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-530-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-529-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-535-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-536-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-537-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-538-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-539-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-540-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-542-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-543-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-544-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-545-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-546-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-547-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-548-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-549-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-550-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-551-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-552-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4472-567-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp	themida
behavioral1/memory/4200-584-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-587-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-586-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-585-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-588-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-589-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-590-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-591-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-592-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-593-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-594-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-595-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-596-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-597-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-598-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-599-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida
behavioral1/memory/4200-602-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Lucifer v2.0.9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Lucifer v2.0.9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4472	Lucifer v2.0.9.exe
4200	Lucifer v2.0.9.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
3064	msedge.exe
3064	msedge.exe
3356	identity_helper.exe
3356	identity_helper.exe
4144	msedge.exe
4144	msedge.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4472	Lucifer v2.0.9.exe
4200	Lucifer v2.0.9.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: 33	4064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4064	AUDIODG.EXE
Token: SeRestorePrivilege	2716	7zG.exe
Token: 35	2716	7zG.exe
Token: SeSecurityPrivilege	2716	7zG.exe
Token: SeSecurityPrivilege	2716	7zG.exe
Token: SeDebugPrivilege	416	Lucifer 2.0.9.exe
Token: SeDebugPrivilege	2036	taskmgr.exe
Token: SeSystemProfilePrivilege	2036	taskmgr.exe
Token: SeCreateGlobalPrivilege	2036	taskmgr.exe
Token: 33	2036	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2036	taskmgr.exe
Token: SeDebugPrivilege	1224	Lucifer 2.0.9.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
2716	7zG.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2292	3064	msedge.exe	84
PID 3064 wrote to memory of 2292	3064	msedge.exe	84
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 3784	3064	msedge.exe	85
PID 3064 wrote to memory of 4856	3064	msedge.exe	86
PID 3064 wrote to memory of 4856	3064	msedge.exe	86
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87
PID 3064 wrote to memory of 3136	3064	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/WRFGxJKY#6CMUGnvejNik6PiitK_L_Du9NdMrvDVbCdl_mW1XZR8
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa52e346f8,0x7ffa52e34708,0x7ffa52e34718
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1916 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11678846175281387182,304802828647579613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x3f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6024

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Lucifer v2.0.9\" -ad -an -ai#7zMap1438:90:7zEvent19184
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2716

C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\Lucifer 2.0.9.exe
"C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\Lucifer 2.0.9.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:416
- C:\Users\Admin\AppData\Local\Temp\q1ufvl4v.dqr\Lucifer v2.0.9.exe
  "C:\Users\Admin\AppData\Local\Temp\q1ufvl4v.dqr\Lucifer v2.0.9.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4472
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2852

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3eee6dd9131c49d2bc2329181ba6ebd6 /t 5112 /p 4472
1⤵
PID:4312

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\README.txt
1⤵
PID:5908

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036

C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\Lucifer 2.0.9.exe
"C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\Lucifer 2.0.9.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\s1iu3y3z.emo\Lucifer v2.0.9.exe
  "C:\Users\Admin\AppData\Local\Temp\s1iu3y3z.emo\Lucifer v2.0.9.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
2389ee5fc315de6186b1db05add97e15

SHA1
179842d4a7763a90c3e52ce057e68c7f085c731e

SHA256
67af739990ff75e5a9ef5fba6f20e1bce34f54b16e9ea27edaf71a11e603a1a6

SHA512
eb5460cc94ccc99c4c84c94c50967eaa67614380fb99410e98be877276b71139f12168607723aa32dffd27f02ea498a10658c1a8d578fe61655792149a421f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
e08735d8d04f386ff229cfdd8a901096

SHA1
e90c5ea41031dec6fee120cc3dff12883d030394

SHA256
dc42a69331760dd72e43c530f6bfe4baeaf1e8ac68edd7e6ac80d131afe9c0d0

SHA512
a1459dfe83ad0ce30a3c50bd9de00e56a57f66b6b96eda248288d5de02cb0bc5c22797e0a33188bfc09a66a0695e6b3c57ba5f0d743abf2c6e5a4b66bfd75386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b530445a8cc8145b3c7764410aadb65e

SHA1
6fdf2feae005538e8ec914ad7f868f36ea8f1275

SHA256
4fa06e8d958afc405b755edf1d5adccf1e3d51c6a7f264e586075d07ee6f1858

SHA512
b0c022c8d34c95078b13e0a7e6ba41e309c0ed52e1e50d8573cce7a2b7cda252ea3a6b4e499cd8fca7911849a74aa1ac25087813b9b61b054f77b4362821862d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0eeca083a91676fca5706523339ca9ba

SHA1
6ddd81bf32d79467a15f8a2645f7b157cc6840a7

SHA256
555b45987cffaeaf661825a97fb7b148d69511d2067705d6ea0f85cc9c347d77

SHA512
27cefab2069eeeb41041f3fc498572238615a0780403c1d1d71f5f332dfc437f9af71ead917ff1c998e6d9bb9469e4857563371da74ce27f9cdf62fd8de1f371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5441e2ddf7ddbad5092bc5015dce7530

SHA1
e8412751889682451565fb40128a38d117a9b64e

SHA256
aa0827173c5d166e4f5eec2bf61397cd6a4fe88fa54918ab7641ead6e220cb6e

SHA512
d6c624883202049963fea4046b6383735b846a250c40ea25d17125d8bc3606e923d6fcf8f1e25bfd08a324e66cd85d259ea341b607cc3c1eec78759edbb60b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c272b03defe0a0dc7dae9cb6c688086b

SHA1
33bf15d77c3e637918ab61af332f021322f86def

SHA256
8d6b998652bcb39235ce0f2434c2e34340d524048ea8696080be303b0deaf8f1

SHA512
0aff5ba5a9f6b23917c60ca8280c969b3b51ab73a0a18bab2103bef2feaea458183398182543b0b0c0e5d31057014234cc0c232d811cdc2b57457c55e9a4424e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e22c1166ed105c2dd9838cef4b577069

SHA1
f8b18fea0c32361f18dfe9110a9c95a57aedf0d4

SHA256
450023e2ab55bd2919ce130cbcad51242279534e27f1c678739e6344cc907bb9

SHA512
39a176d32d346233431cff75f7b7a32a81466e50e16ca6ab003480a8218ba634c5c22f11f17de35df92af7636d7a19de7c58346a4ffac68b4ae9944fcc511c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581539.TMP

Filesize
48B

MD5
89f82ed609a9cddaed4e6ab63860ba83

SHA1
9a08ed90f303fabc5374c590b0f662bf08555b2a

SHA256
30064e2df19197b0f578055d9af5db589a1feed4f718debcf2d4185d9672f0ef

SHA512
ac310bad5b4cf9f81e198e59793ba6aec718f7721c49876226987493ae6039f62875bdfa45ac72fa7babc01dd458d1ce1b936354b8bdec68b59b14a3d32c1ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
df7fafcc658729a17ad7fde8a3082684

SHA1
26b97c2982f36b57eccb9120f060567ae17346fc

SHA256
bce85d4d905a2bab411fa822a0415bbd8b23355e91bc3ee075957b3cf67a913a

SHA512
351c39af98858db9a5346d5fedd46a9ba7759b6223ae148d4f13e7000bb5b0d6b62b945f1a2cdcdee6b1da2579e76e761498496c7ce8a226897a729a0dc1bbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b4669337a39d1663a4b0e1a89cd4b38a

SHA1
17dafafcd97f081c48da1e4c8ae2e5db312814db

SHA256
fbfb2bdaa102561c0cf63180a9e5f961550f08e12f6b9c1df81099c1506129c7

SHA512
4905c8a23bfb1a503e6a37c77eb3d7b74e1ee24d81ee143617b17ffa5d34931d81eebd46c2a3ff7747615e7eca0ceab8ea634f6886748ab8cc8aa31fd462face

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1ufvl4v.dqr\Lucifer v2.0.9.exe

Filesize
6.4MB

MD5
4512f572be8e9b0cd4beef0cfcc5b899

SHA1
ea68a2419ca035feb46c88c768e445cc248fcbb5

SHA256
ec5bee0dfb9a96f99de36fc9705e6fd3d95267c97653cff051570d269fb1494e

SHA512
336c8966d6135df3a6aa691b16174b35406966a4553d41b683fbe09f561673d9d3d2b66fa2080c761d449508420d5a5de7a1d8d04245bfb5a50dd161ad05f729

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9.rar

Filesize
16.3MB

MD5
1ce316f996792cb41f7049e60d930ca2

SHA1
d01d000014144741efe7b4ab7badfed679d39a2c

SHA256
13fa80934f75fe9c9521346cf9b21ece445147d62650745f317dc56eb050c4f1

SHA512
3f334fe964089e4889ff1fde2f82a13f0dc7ddee704be637ebfb6a3511ec1b93600d6be0f72a16ae2b88b863f818b3d8bda5497238a0cf4bdb875477c9a41490

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\Lucifer 2.0.9.exe

Filesize
13.7MB

MD5
8c4d7e7cd9d17653a533ad23a7cad124

SHA1
579a754b8d3944773274c02abd0f58609d45cc5f

SHA256
498c449891726c5c2797b41df1dc323279bde49dd6b40f487c2c1621acc1ca20

SHA512
a24e9c5c8ab9b9621614e3e3177438dd5054626a166352e94ecb53abf3e2e25d76409c25ab813f1a9b867ab97852fbab3536dc96c2c5d11faa821185e8861ede

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\README.txt

Filesize
114B

MD5
ef67747893af4a050890fe8f376f19d3

SHA1
3943485c5f4a32fe558a913eb2b2a72318bccaf0

SHA256
e15b3ab77e709c8924c61b493144d1582bde1d28a5c30103e776e62e487d6d33

SHA512
b5c85ef8c7db488efb3aacaae449877e20f23edbc755b47c0ae92d44d5cface351a62e39f6f6b7970f483bb048c6297d24d8ce74205a0176b4152131ac6c199d

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\items.dat

Filesize
3.5MB

MD5
564eccbb78ddbe82270faf3e4edeca06

SHA1
98617edd0a48251df7f3c8458d8787896c9867a2

SHA256
00e30d583b0bff64c746236996cdb4f10637c24fba860f4a74659ff736ed5989

SHA512
3c15618dec9e9e3e5025488395cdb2bf5bb68566cba82a68fa3ecf3f78abf0106ec724376406165705912f5e80491bcb8fb67d30b9f908ff577fcd5992c9bfcb

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\libcrypto-3-x64.dll

Filesize
4.9MB

MD5
4f37d461bb8238b5398b28e7832e19bb

SHA1
0b6796313d78511ef5f0cf3ef32e8d661b52577e

SHA256
918fe619e132a2e0c0f11fcad8394dff79f42b992816a111bfd7796c7b750b54

SHA512
63a08c9326ab56d468001730bce93969477f8cc195fb2a2444a8fbb2b230fe95ff72836b26e5df5b893ef783b4bcb96bca81974dc9e511a9c184060bb1a3a3f6

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\libcurl-x64.dll

Filesize
3.0MB

MD5
8c5768ab3d6d3ba0302d580b19e7a1ed

SHA1
879079b8cd9c0893fdb557cbaf8f255d0d6cffbe

SHA256
ee25e47766876cc70e5e613c6ac2cc8e6e8047dbe99a5e6cea4a5ac9ec45f7a0

SHA512
dfff44365cc8596f22d9c8bd581892146bfd6239166e5a83eb7d7476e5f979d28311a99748439011f916178f71360ef4407d577a0461170627bee3ef8643c834

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\login.json

Filesize
299B

MD5
39490b12a57844e2bebfde0aafbc236c

SHA1
90ae81f1fc66705bff09669d5f5a45910a221815

SHA256
be808c93b286ac9eae158a75c65dc6d5b4893159e596b2914036fd0d989e26a9

SHA512
4d1470e2987c087f71c4df415d6fa735a67c6564f3d1dc8d52c4c953f82abc906375d3b1645766edaf9572850d5d138d71763da00c80f1aeba5b1afb86022820

Download Submit
C:\Users\Admin\Downloads\Lucifer v2.0.9\Lucifer\pack.json

Filesize
678B

MD5
5def55a742395a03630245329501ee99

SHA1
30b2404e16e5315a1e12adaeb84ec17db061925f

SHA256
b4571ff525352dc8ffe364843dc059ac4a6faca6c16e54150a66e41e5f972d4c

SHA512
4fb5e7c88901d2ac7c6acb869f3a26d996f72653548b30a7c08aef2512e4e108f7e942093cdce12eff11fa07e298dbd95b0029579175eadda9899d2fa1dd6bca

Download Submit
memory/416-506-0x000000001BDC0000-0x000000001C460000-memory.dmp

Filesize
6.6MB

Download
memory/416-505-0x000000001BA70000-0x000000001BAC0000-memory.dmp

Filesize
320KB

Download
memory/416-504-0x0000000000170000-0x0000000000F20000-memory.dmp

Filesize
13.7MB

Download
memory/2036-559-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-555-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-568-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/2036-560-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-561-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-562-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-563-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-564-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-565-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-553-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/2036-554-0x0000019AE6E80000-0x0000019AE6E81000-memory.dmp

Filesize
4KB

Download
memory/4200-586-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-584-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-602-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-599-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-598-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-597-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-596-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-595-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-594-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-593-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-592-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-591-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-590-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-589-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-588-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-585-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4200-587-0x00007FF77FBA0000-0x00007FF780DD3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-549-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-538-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-525-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-523-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-528-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-529-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-522-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-530-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-531-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-567-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-536-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-537-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-527-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-535-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-552-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-551-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-550-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-539-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-548-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-547-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-546-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-545-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-544-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-543-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-542-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-524-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download
memory/4472-540-0x00007FF72B170000-0x00007FF72C3A3000-memory.dmp

Filesize
18.2MB

Download