lumma | hxxps://drive[.]google[.]com/file/d/1Q8uEkCcr7RFJAgkUlqXatFH7sOEYzfjy/view?usp=sharing

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Q8uEkCcr7RFJAgkUlqXatFH7sOEYzfjy/view?usp=sharing

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://pieddfreedinsu.shop/api

https://celebratioopz.shop/api

https://writerospzm.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://mennyudosirso.shop/api

https://languagedscie.shop/api

https://complaintsipzzx.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 3 IoCs

pid	Process
4808	Launch.exe
4448	Launch.exe
4916	Launch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
8	drive.google.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 1544	4808	Launch.exe	125
PID 4448 set thread context of 3556	4448	Launch.exe	128
PID 4916 set thread context of 432	4916	Launch.exe	131

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
960	NOTEPAD.EXE
4924	NOTEPAD.EXE
4788	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4348	msedge.exe
4348	msedge.exe
964	msedge.exe
964	msedge.exe
4684	identity_helper.exe
4684	identity_helper.exe
1816	msedge.exe
1816	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
3108	msedge.exe
3108	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1488	7zG.exe
Token: 35	1488	7zG.exe
Token: SeSecurityPrivilege	1488	7zG.exe
Token: SeSecurityPrivilege	1488	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
1488	7zG.exe
964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5088	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3848	964	msedge.exe	86
PID 964 wrote to memory of 3848	964	msedge.exe	86
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 1048	964	msedge.exe	87
PID 964 wrote to memory of 4348	964	msedge.exe	88
PID 964 wrote to memory of 4348	964	msedge.exe	88
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89
PID 964 wrote to memory of 1804	964	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1Q8uEkCcr7RFJAgkUlqXatFH7sOEYzfjy/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ada746f8,0x7ff9ada74708,0x7ff9ada74718
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17569514606927470032,16194018622621504419,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6436 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Main\" -spe -an -ai#7zMap14051:66:7zEvent29151
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Main\Instruction.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4788

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Main\proxy.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Main\output.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Users\Admin\Desktop\Main\Launch.exe
"C:\Users\Admin\Desktop\Main\Launch.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544

C:\Users\Admin\Desktop\Main\Launch.exe
"C:\Users\Admin\Desktop\Main\Launch.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3556

C:\Users\Admin\Desktop\Main\Launch.exe
"C:\Users\Admin\Desktop\Main\Launch.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte8e4af67h4e68h4f51h8df3h4a778331270d
1⤵
PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9ada746f8,0x7ff9ada74708,0x7ff9ada74718
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,7640315488726188199,531550442232638616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,7640315488726188199,531550442232638616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,7640315488726188199,531550442232638616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault551042a4hfe02h45f0hbb6ahf2e24c8d07d5
1⤵
PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9ada746f8,0x7ff9ada74708,0x7ff9ada74718
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,5491311727342972109,9975910827135249918,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,5491311727342972109,9975910827135249918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,5491311727342972109,9975910827135249918,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Launch.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e5609bbe458c6278dc686a3156165946

SHA1
0e6e06ec248634ad148b17b51c88f6a0fb16e20b

SHA256
dccda5608e420fc56ae1e2a8d188bdeb6c36b726e128207c3a8d138861a59f1c

SHA512
92a4fd2db229b04ed3b53023db3931684433cb191a34e3cd15abc993ced8316ccf55b74feead600113a324b89000d9443f9b8c0c0a4afceb20632429fc26f3d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b1aef3676143908be2b684dd6601e248

SHA1
6b1c544684c0c7fbe483212f7e27a3e8c5bfe3db

SHA256
0f1584b492e5dba4483992d595195856a28d4a079121c6f6831e1da8767be112

SHA512
a7bb38099020bfd2571be09326e2a5a9a0529a19f22a56d619142fb7a06e0e28fb116eb53fc2f67ed200b2c2cd33616b885a30115f23e6bf1570b28db8aee7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\16836edc-db55-44a3-86ca-c5949c0d713f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
f93364a71e534d3004ad66dbd0a99eff

SHA1
7963532003ba9b07230d7e6b64f8a2faedc493aa

SHA256
016dda856c52a169f704072426e1b84ab20a7c3347d731b7abdc7d3742513694

SHA512
299c90fccfd31a84f514c1e186ffb9f3608889804f2252639fba0b462f027dbbf4c0a9a39c8cc4654732ff3043417368590f2a8bb2be9e9c70699c9cdd76a7e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
8ca14a53057000daa9324ad6a6060d2e

SHA1
939cef7c6fdfaf3186a9ae0a062596bf0b1c1a36

SHA256
781c17bd48e87889c40f7e74163b94e8a0b84e340f4a21ee31f762e23bfedb5c

SHA512
b0550cb3dfccb044c3fb0679443f15a21c6e95911cbd3b78c4020f8aa812ea413f33945aae51833d6ecc9c834a21b2fa6758390bf5d431b8e23298918da74488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
7d057eeec3678c981f023559827ad989

SHA1
01cf6af8c3819519d1bbfa4adb002128ac04afeb

SHA256
223fc2f0ca37a0ba312aa191d710dc8cf6da1f32509df5f804f741e1878107a7

SHA512
76554a4165cfac99726cfbb5fb73dd1ab2190868fc14cc21b18abe04558824c9b3455c056efde5114af44117e6be2c9a75ca72f1d6b0364a1cf5f8610d32409b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
95B

MD5
e747f00bc750c8b5438d17c626546063

SHA1
42fdc138eb2e3f5b19b21426a0cf9aa08fc2578b

SHA256
eb8ea32b91057259f2cb40d6f8fc63367a39685486fa045bd0d4cd57b4613b06

SHA512
40ac77e5937d6a79f104bd309e7e6e5593bf3c03f02efdbda375df04a7cd26afa3a7f677e7184919e25673a53663bcf36364b5e277d499d97046837fccbdf4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
867d8cf1c233d9620e7c67af6f85900f

SHA1
058b11a2d0b5eddb573b4ea6c3a2e169f0a5d144

SHA256
ae251c1019e36bfa6d39a030577b9f84498dd365ab1b3d4d220c7c9eeaf104f5

SHA512
3c164be8462b33771f5b7513be860b32c5568175dc5b7d34f0f09769c366a7153da7e2029b585dcb9e8f5d73068f6f42e90bff54f999500b0aa0a7c193535c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5c02c61f2ee2fc12cb460681034d41bc

SHA1
30374c433b0e8bf95ff9e435d53a8689bdf91490

SHA256
112001d60b245723f9c29ca1947dbfdfd59f3bc7e0dfdf04ff610597f6499106

SHA512
c80b7c3076918b3bf38f080c6624105310b0af7eee558ea8756689db30b9424dcbc82a75ff5ceb61aae0e25cbca4caf147aba904c413aa20f9e84c57dd57ed74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
99d845d2332a0b0e64c8c61d37d212a6

SHA1
a36f76a92779b78717c35e45021475507b0e49a5

SHA256
9ff3bf6379ded3d44588f663355603bd258db2230856ef2d4b4a32bee958c893

SHA512
7075d06571cb5d0be0cb6c559a49461b97e67a5f16f7186e48e62630f309b5eb38565f295035e5a3dca5ae4c1156cb919223c9d5829ea8fc4fd11d3a5951874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
46156103fcda83bf1c6e7d303c93cbf9

SHA1
7cff031ae729146a0b15f7c2c675bdf13dec8d85

SHA256
2ca10f2880b72a6c81728845d0339e589b221d689f63686b8ef5f563d11585a9

SHA512
efcc6ffea7c1278a4727346ab25fe8bddb2de4ded3765ded621b59398cacb81364d5aa3937d9783718b7ffe4d5654737b72f6ace6b3af65620bcda7f1cf2a20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e835c03525b977b366acddf1265eee7

SHA1
76e6d8b7b15c6ef1b2defd1d687e85e543ef96ab

SHA256
22119fbf05cd79cff720726ac3be6244537d1efc0202893b6403f90b55dd08db

SHA512
98058fb83936a663e2c7c085c1a23f04b743c978c18429c370f89d462e9a2ec685cc3fcfba28d72195c0eb93434b6d4ca92984e6264b46fd39266dc29857c2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a7194153d2b2dc6d0d34e4fa144dc65

SHA1
412fb089890f3f532083d5013240ce09f4fd2ee7

SHA256
2a08666029de4cf5f2cd075942b9d8ff3f8637fd473d05c461247b92d71283c2

SHA512
17ea53694518b4edee596c827415fa1077d7c55fd77bcb9b8473a8e4f5b2ce1c6945fdfb7f00012c710b4c4533f80538195ad17ac03ade3b1a53ef689a57f49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47d7d0f798a2077e070b0da60e013481

SHA1
708367616a2fe62ef6da38a44840a9251ad1b3c6

SHA256
434f1d3b8f2de47414d4214341a5b03a1c3197ef89ebac0fcf1963b6ecc281d4

SHA512
144bd8ee609727a5a32d5754253aeae295da044daff2d609cbe2c9311b061bbee2f414767a8ccef7f0176aac8cb91a14ff48bccead8da60bcd676371634f09a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bddd483ef31c3b89d1af724d5fe870aa

SHA1
0d8a12012d5c46c30850316162e2c1a8b6adcd82

SHA256
28ca0211cac990c5ddd615c98ae505fdac56740c028d493dc7967ec9d0e1877c

SHA512
be10e7ee14622b4d87b7070f075a274013d09be40e6978b0fcde6e089e5c2e065e1c5f5f9a80ccfbe82d6746c2a8579c111f5b7c050ccef34bc9a55c1d835640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf70c739161404a6b1ff77f5acfe1fe4

SHA1
4d90dbfc457c9c0b4634bee2681412db72c287b8

SHA256
fa1206ed44588af2c0129935e92ecb954e687843e014ab68a1adfb788639dcc7

SHA512
7610b1b11800d438011697a14545fa42aad55508b4b707d1c62d35f1fa0113bb3d1b8f4c5dee0aba3f33247370820e5ab391bef0c86915726c28db0827ceb91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
fd3c9f9aad395ab8f9de4afbb9399aab

SHA1
9fcfcb2cef891e073ffc1e1167a4a6c7f75cfc51

SHA256
4043a1f1e23135e87688c536c8dfd9447aea396d81f0b37a85b25f1dcac7b5c2

SHA512
816956f8f5e6054f5790a4516e3edb011fa93bac80ba78d7a6775c43f048cf212d8dc207ca4751cbc4c77b7da76a1862e17478e6962a4213376cf424031326a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
daf63ac621b73a778d92a31d442b85e1

SHA1
8bb20170b416fed446341f5036ad507e3085e697

SHA256
5187f01a542cfb9ee59cdc95094c96c68c69b86bd77f9d6f3b5331f5365191f7

SHA512
eb0f7bcc600d462c59d28a55cd84caa5f458aec63c77c072918bd4623df07d136c889e227b99fe46813bb9ee5266b20b9f04c0c7668e8825bf9a4d6239fe7425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
e8789b5acf17829b1c8b0853527846ba

SHA1
3b2817f263c33e7e735ed523b9e4eaa3913f2048

SHA256
723982bf5c69a70b663604276812137f1d3bbe071457785c161d188d32d9cafb

SHA512
b9ac278b097148d9858b6e36c008ba6cbf403a202d12910617c3227b2efa5c526c37582e55c2bdf0da8c347f2d26803263fd9b7c97af5c023614ae90ca0fc80c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
4258779b9fc4d18ec5b5b264cc8aed47

SHA1
47d7414111ffdacc0d0f3e1bf2b62306cebee85c

SHA256
37e10f87d0b7c0672540f9aac668339420be7a73b1fc90064aed9b960b29214d

SHA512
4c18dd9bb53c270791a566f69dc2a28decc248523a649bfc1549018eea1892b4a014f98356b1fdc4a2c23a9075e1b0088f0cd7b911bfff76c72af093bc63ed82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d4ec1bdea45164294be6c2aed456232e

SHA1
de97892614cf81baa7385f8e85563bf5c7b4141d

SHA256
f866f3fab22084a4935bcb658e3da3f3159ca57f5a123d836abfbc36d46c0a17

SHA512
969c03adefad98e3c6e0ad783f6b0bead4bdc7d756be67e8794e1582782975f4e04a57eaa9f3dce29a7533b9aa0b7e36914994dda86db9cfc237a4ab0ed0eb28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
83bc2696f10aeb74bc8cda24bbfb7aff

SHA1
bd2803f07bce45d587e4cb02e866224e2f92aa34

SHA256
9c3a2266f80f3f8920375b4567cebc9cf4cbd04c1aef525ec251684cfea04ba7

SHA512
66a47f62af733b9dc5cce4aefae2a5b9e4963b4c95104d7b72222c0aada522a4ddbdbf732d6641579dbbdc13ea28830b2c21a1fc9ba021b8ebcfb809a0d613a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
3d432f6edc50ce9f0f8a4691abfb0910

SHA1
65f8dfe3491c6410c04313fab151f1f84dfbca7c

SHA256
7c2c7f7d7cf0678939742ba88eec7e05208a82f1bd4020c95c5d5723a0babdee

SHA512
b4b63b59d9dc68a4780dd4a97b96363152788599d48930025c9a5d704d001779b06eb0bc2e9f358017a5de15f722d2818bf65a6115095f47613a6ef2f0c785f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
50ee5893b4710918cc8d349be27ef99c

SHA1
881a5aab88251af5bdc0fb14c806e92b39fc31cd

SHA256
22ceee5442bb1ec5c4cec2d39b828492a16779f786e1ae38b92201fc3e58978f

SHA512
6848b672ad1f9070e760415f6431906c6929e992892119e8fb12f1b56a1898c55a8588de991b8044c7598dec5666a76bcbe27bfd36ab8c7fc24bace818c0acd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
970512f553819ecc6b9ea3d5b1870bb5

SHA1
35c1f5261810899a31c85a02175bf92680b37daa

SHA256
fd500a76d760205604ce2272de877d1e5c24783b17911a771288a428016ca116

SHA512
9dbf78fa1642979b80f7c22558853d03997081642080aadcfa985e49a9b1e34dc5f5c07ccc3cd48184d121e0899c058d6bb3e5f8278a8030430cd31d1a4a3a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
343a29a8ff21e9fccdd1f40f0e843b8d

SHA1
885f8439475fe524730b373695d4ba4fa7952488

SHA256
a7ad0a7449da173047d816e3b45d9c648072af10ecc3b2b1500c32dabe649abb

SHA512
d0d76c1c9e4e5cd3ff6684efca93b5aa0a5f9cc4fa909d200f236b109558567aad723f43f71a0d69bd7b3205940ecb45ad975f4ade5e3162a392fba9cc33c97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6bc7f81e3cbc625587a7dcf5ef06d602

SHA1
afa2d812e9d67beeed611755fff2081718233a09

SHA256
ebed89abb3164c200544f861bbec88e4422bf935165852ee43cd355ecfd7003d

SHA512
c9ab268f14dbc7f1cd9d72f63416af3182351addbd905f3e8cb5bf47a29b1fc13240c5a866023fe5801b1da95e8669304e292e07722a93a9aca7956ef67092db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
59f348fa66ae9433ce70c9cf8a59f4c5

SHA1
1e112312a437b06bf15c70de287d4371f9e7f305

SHA256
bfde1f93b4a19f85bef19a9a25f281dd91989baed0d3926f0271f890cf645445

SHA512
c5c91dc3c56fbea764b12ad02d2b0a388d38b4f749c1159ea900fa25d6a6280690f5ed209a5065b12b99ec47ff68cce8961f6768d950270b85e09ec092da3bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
30eebd279bd645fca1692cc744e15e0c

SHA1
7d8608549edf49ff512e7132600af444d0d6c610

SHA256
b3df4a95997074e24f2c76a3090e04bbe0b0514d8ec724876079b59c0f7dc7db

SHA512
2799af24b95cb8a61105595ee426735f305ed78487471065ec8ecfc69f418641ee1718ab3baca842132394fe12cf6e4f17ded50447b84946ac7a1d8fab0081ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
5219ac9cb060eafa0988f43ae549a98e

SHA1
f924d452a4121e0c808c1b756cabf43938109733

SHA256
64428d9fd613a9afaf525f4a38448804adb094f2e7ee2cdf6e15f8647cb58199

SHA512
beb8891ba27a77216351c2ac197662c0d9db4bb92d98b9a13e199f620c9ffba2b1efe9e34ffe5e1f97b35692fec0f19e3d16722a2dc8ed348c23330ce76eea3b

Download Submit
C:\Users\Admin\Desktop\Main\Instruction.txt

Filesize
100B

MD5
f522459d2215a8dcc24b660201c0c3e2

SHA1
1e87432e98abd29ed715a201c6a57e313d3baead

SHA256
d937c82a9991a6c593826c32b170db21c8ed73af1e5d5935b6d5c59d23a4e436

SHA512
3bb11e3c38284b4bbdf2e384ba9347913b88898e4fa0f2419db07997d30c02759e19dba889a7e51b4a370e59c91aeccb067079793d174581cc61c4592e6476b1

Download Submit
C:\Users\Admin\Desktop\Main\Launch.exe

Filesize
380KB

MD5
6cec63a9ea41b5cbdc4f3952aaef9e3e

SHA1
bac9879e871e45182a613d036cc24959fb9d2b2b

SHA256
e84cc00d547f3c70c94c28825680d30050dc1ef35f1db2a8b5302c0c28f5a602

SHA512
59e8e4081780ae0f3eeebd6a872d431876686e36afa413b6cabdf688e772211b2f5779c27f10a5941016f47868971eb5626e4d2986fd0807dd42cc3de65964ca

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 973401.crdownload

Filesize
376KB

MD5
30f51bfcbd521bec4fc73d53431896e9

SHA1
4c4db9def98b39d05ccaa679e488e62f58c1bf25

SHA256
0249556c11fbdcea7e71587a9e081ea6398ace17b6fc497edc37d23b9dde6f46

SHA512
e7cf84f38916e3d16ddecdc1b4dc704f918848a586c9dfd30ebc86c876f746cec0ccbd644cd56d16e3c9dbdc23f4d13ac5f9c9587d618a47115bff8694106a1d

Download Submit
memory/1544-201-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1544-198-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4808-195-0x00000000000E0000-0x0000000000146000-memory.dmp

Filesize
408KB

Download