lumma | hxxps://www[.]youtube[.]com/watch?v=z5VFcElg9cA

Analysis

max time kernel
169s
max time network
168s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-01-2025 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=z5VFcElg9cA

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Loads dropped DLL 1 IoCs

pid	Process
1536	Aura.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 3376	1536	Aura.exe	119

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aura.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Aura.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe
4072	msedge.exe
4072	msedge.exe
4448	msedge.exe
4448	msedge.exe
1860	identity_helper.exe
1860	identity_helper.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
4984	msedge.exe
4984	msedge.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	236	AUDIODG.EXE
Token: SeDebugPrivilege	1416	taskmgr.exe
Token: SeSystemProfilePrivilege	1416	taskmgr.exe
Token: SeCreateGlobalPrivilege	1416	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe
1416	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4384	4072	msedge.exe	77
PID 4072 wrote to memory of 4384	4072	msedge.exe	77
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4808	4072	msedge.exe	78
PID 4072 wrote to memory of 4364	4072	msedge.exe	79
PID 4072 wrote to memory of 4364	4072	msedge.exe	79
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80
PID 4072 wrote to memory of 4908	4072	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/watch?v=z5VFcElg9cA
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbc3933cb8,0x7ffbc3933cc8,0x7ffbc3933cd8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3928 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7852 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,15322322638505586716,13246445281566673926,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2204

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1276

C:\Users\Admin\Downloads\Aura\Aura\Aura.exe
"C:\Users\Admin\Downloads\Aura\Aura\Aura.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0935d7ea5031f88cd00d50a29020ca19

SHA1
6fda8cace794a73a5d26a73cd084d82787535c76

SHA256
12c8a25523cb02fcfae0e6f8fde6770c5ff5bf2beb119bd11128e5ca9d541ced

SHA512
cdb3ff48765643db9b6b0c1f31354d493e1cba4fe4d70ecadce6f7e32736b826d73be7d24f6ac1349db580d14b425badf6b84a264fa985ed0725eb50ab993dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
afdcf6c5ba8a4b85eb5ad464129b7974

SHA1
1c8a5e48d498f858855cf26a20c4e6af091ee666

SHA256
2f74875649f5d803d4828862fb35023bbf3361b77f05ecc2ca980970a1625e6c

SHA512
a8e95e2211c426967eafb46822f610a47c6fe557bbc3d49217521402847d0b8f609a2cc948b0517071eada410491a5518bbc10229b90a5615a94d0223c589dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
871b52fdad6ed1093d72f6aaaf4e7583

SHA1
5fe6c2f731f4b22d7beae1b3151b9c00b535075b

SHA256
06ffdffd589f82a4e1abab20b0fb07757954c6d176baa7c1892dde02da929324

SHA512
0b1979caafb597a911e6a06e137112da5b63d8f390d93b07ef636d72869ad80c1869e882b595c43fd731133a7257923fa5062264b1c861798f06b04d03ad254f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8d922aa93c7caff0827ad9cfe80df8d9

SHA1
17ac56c31e17562b679b22cdb1869ba0eeeec025

SHA256
9e97c45327cc5a7d578078edb7306004013e1e8749bce2d2c6583b890fbb91b1

SHA512
47b712adbd28415c9605056da4521f00f49e799069c3209ecb40cfca616fee0b77416d0eea879c4fd6bf2f3f2256b7231f26dfed64b23e6773e52236b5392354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
595f1bf0bd977638743fd3640e4162bd

SHA1
cd58504d4e01acfa545028cfb16a7e7f8e27bba5

SHA256
58e6d758f50e88bb0d597ee765abfb592132237df6d753501bb5f7a9523bfb33

SHA512
df73be3f54db23e00d6d9a3b3e8a7db64f83ea44b264b8e4e4b449dbd364640addd24e0be55c148c6f4e04fbc3733b49e2815a8dccfffbe1b6f3b79261718b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
91678ad3f6b7083b335e207ce5937845

SHA1
7662a36940c66b9f666db0aba602d7d9d0195fbe

SHA256
b26d4c7035b47e031cba30beab599bd5ca30036a12965565df673c2988747eef

SHA512
f39d2875ee61adf68a3a09e6d6f08543ed86b2830a13f04ea1ed12282ae94b79318f61bdb2a6a61036b587170a1ceefa17fa219f0cc8e8b59342ad0080cdcc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
bc624c330ac8c12cc180cbedd2dfa761

SHA1
01234185d16080eedb69f527fedf71921ad129cd

SHA256
a9fcfaba7cb8574a1dcd07e334399971666d539d4cd31ab0e1a56d64c5157071

SHA512
149a9078623c28df8122a6acd4a78b19fc0f31159b4267b7181b5c473056d9310c617bfe120e445a78e745c7fa8eb45311a48bd4ad690ea1bfff8933f7698444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e25377978be0223f41499e889047d57

SHA1
1e4903ff0c06c5dcbbbf5735de1ebbf064e88690

SHA256
d56e30c37987ed532c6eb99c34af5c9a6a28a020d838b52c1345a51a7a9230b5

SHA512
bdf62b4a408d6b0c3174b82973f5db2b7f29d9fb4244fb52eb2b5cc3b10ef0ed3abd89b5b99552e9f7d00357acdecc5783f699a2ac763df1c11cba3e1d216d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2bd8ac76cef760ed250e25091a518dec

SHA1
9e0874dc24d21bc48dac5e61da7e1f0678b8d201

SHA256
79aac75e929c4b203daf5fc735cda14c123410164428c28889a1819af4d6f482

SHA512
5062bbfc17646cbc0b5d755bc98343126601f532a9919e68e0b4102d8e60a8b98f3fb98b2d20b54354a35d9994083e15235b35020c853cff9a3cfbfeeef68a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bf9833d0bb2d7bdf23ccf043c4dd91fc

SHA1
1eec6354c16e926eb5d8127dd3d19e3eb74a8293

SHA256
45578f3505d56a77c9fdecfe044fb9d6761c19762706e5d154858f2df02b6a0b

SHA512
978647767a941557151cd1cc696a7fae0d997b4e712c98b05c31569121b3a58a9f4ed6c2b01f5253f67fc42d360d0ea2e73218afca12bc5be70758f9274e51f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
61ad11783b2ea0a248ee7f2582a1ebe7

SHA1
30dd484cb2a5c2e17631483035061e49550a4a88

SHA256
ad63e36822736ca2b0657062cd1334ee8d890f2caec8dd319fb1db6f706bba02

SHA512
68914d54ecbc71432adfe94513ec4721855caf504b9595a5b60721594ff63333c8918f3fb86cfcc2bb700db6534d5b64507fdec0411178c0f378950f12b2a292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\05fb576b-df01-49be-8811-e19d6eccc6e9\index-dir\the-real-index

Filesize
2KB

MD5
a2710b2ed0e9463efd6c912cd256f7e0

SHA1
50db06e5e71d73d7df295f199fb58aa113d81579

SHA256
980fa79c272eb9ed834b0e5d9e0927458e9c725ceacc2a1a0044a56076614a4b

SHA512
379d86dc4c053184ad92c373b6f318f377cd5e8aee3ddfaeaa30df16c25ba76524483b9cbb2166bc78b9b0d1e0b2041d7976c8c22dc5399b34c10cfefe03fb6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\05fb576b-df01-49be-8811-e19d6eccc6e9\index-dir\the-real-index~RFe57e975.TMP

Filesize
48B

MD5
dded0c8377e2e11034f4b05f7d49d055

SHA1
287f83407e04f162cbd47fc662c743cb5fab2bb3

SHA256
4c79c8693a50019b2b57408084beb5b629871b4645d5415ebb4a183f1618e799

SHA512
d504e9125609cbd66079fa47012588fa11bbf1f699272f3ed502d428a120793296a5fa7de15e52bfd3f33008fa4be91aca83f4532dcca3ea80691a57776319dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
6590555b90ae7ae54afc4f245d4b966f

SHA1
334265dfc692922b02dad3f179575cf415bd8fe8

SHA256
9a1ff499a9916619b14ede2525d7dbe44dab173bb7c6aaf94ccf1a1251c257e6

SHA512
f82cb0fe8c2818d2d3065d945c7d67b48a4a6ea4a7d7d20df171387bb4b924262648cb0f46138a2295f455472d45adf2f6c8bb7fa5cd6625e6fefdcf7f0d2038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
49f65be6f7c4cfc0a2b635bc37620380

SHA1
14ff5b3c5db52a9e78cd6a16055708bd2e1c56bc

SHA256
c651e2b89f7e5ac865f55ff79e9e6acdd04d9f11d692b7b5a5a3785ccf5267da

SHA512
8230b014538822c889fb412f8e52aecba114b54c70c074bfe142c0b0c21ed8ed9ba2135eb6e20c2da5cb5ddb81d439c881eeea8cfd89d99c011dadcb8c347251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
fe3a3fd95b3661e8b3c60f7f7562f774

SHA1
856b8d1bc36e9a0a2107b94af8c7a6662328f456

SHA256
47f9821da792ed98f73de33019ef503617770b1e676bbb2fcf460b704114a614

SHA512
4943b227f000009bd939daad09ff26427b26067b5bd927354baca6ca66fdc40f1d3f8eb786ff20ef5a48f068c158c827d0680254a3d50f9c7257c0a8048dbaf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe578491.TMP

Filesize
89B

MD5
5b4d0bd6508657038107754cacf31deb

SHA1
aad47cad3a8c68aeea81e27ccbd370de601b62ee

SHA256
9ff8e4a1e8d6ea88a6645c1fd3cca4dd5cb6654196a8ace7c6425fc4edd60530

SHA512
b7c7065c8d40a09d23469953f9321b6a5ef123f6bece6fa3e26cb09a5a847fd76bf3d3cbdf6bfd83c1313b38f446956467778293d14a34171940d37fdc25a748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
404a75df6302031cea2093a70620edf0

SHA1
77b353cbb6336ae3bee0c9ba3e4003193abf9ae4

SHA256
9e5b36df8f72488ce083649eba6d627dda013262c2505778ff89e8e6e225c18d

SHA512
682482c2c16022b1c4ebc73577a1365a232de2444274361da898e453270459b162006b1181cbe7812551a6ea0afffb481def32fadabb7b84881bd38b779d1001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d39c.TMP

Filesize
48B

MD5
6841c573174222ea51a426e018d181d9

SHA1
9ec49ecf605b9243f819868797c438a47f00f19f

SHA256
ccc6db303d5514ebbfe7c4e5b2ca389cfedda1f0d253832270c02f38f22783e4

SHA512
373d1843487e7277d478e949319b6990cecb1db3d50592cbb6e76458d62054ef7586321c4e0ed52e2dfcabc72e3b655ff3ca4b42e0eafcdf71724cfd7031ced7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2099d1ed8d1efb2fc946cfaa4e111561

SHA1
d31e1dbfb76b22a94e8853639f3d8ad33cd30f0f

SHA256
6020226c184c4d20ad69dd204820aa058a45aaf70ef4a6609f421c067c3a849d

SHA512
d7e853f274b8481bc2bcd4880b82b46abf13a0340de3f0917c56e96161166c6124ee4601d75532cb19dab339d0d5a516c58a5a2fcf048d3a19e8e657ee86740a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0fdbae272de82882f4a666d96e1e7887

SHA1
ce400d9f48ca31326176011d6bf44d82e75686a0

SHA256
51e9d9727e0010e854ec533e8ee0d513ffc6755563b69cbc6ae086b573d1a60e

SHA512
5d1b0e668aeb6feacc403a1cc45b4916dad39bf46906d6bd669bd38a6a694aedc4d69d873f6754dd2fb0a6f215b84ec3cc5708912c866c1f423ae5aea5c7e75b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d4f3.TMP

Filesize
706B

MD5
7288f5c425d2d9e7d7b07dddaafa5a9d

SHA1
bb105b2d2ad7513b5d273c8d8454d3cc2c9f17a3

SHA256
3aff802058a5ac26b2cca25e86b01a4a1aaf28bfd5df213abec9ebcd2340432a

SHA512
ad87ac9143e8f4a50562bc9695463ca766764af72bf42bf6b3bae818cdd044c91e7be4303864514a99724e093a5aaddd32e82cced442fed0ea14c14607699a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eca25357cd2f64b99ed8592fd8adeb3a

SHA1
a62457b10d30a647afc5614d29af7c81d276b4ed

SHA256
c17bf9334841b7764060a559f1ef3244c58a728f913cbf71caff9196a696b261

SHA512
67eaf54f84a1cee38920362f4173dbdd33b59ac7b0a15726daf28ffe259439d293122ff6ed4f1f7fbf7709ae17eb954d9ac6ae2dc1cc7c9149f4cf4d5a7a6111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7908da528522ab215957d5d71ea6e2bb

SHA1
95c9caa5fa8d0e177025a9fdfb498829e3d61a00

SHA256
0d3049e86873bdea4f9ca666e125ec92fab53b93a74a7a6bf2e01f3e57b32e94

SHA512
eda35d4d17d99881b012801fa99941ab3db4e660dba1b2917c6a43670fd0427aa7922d21303ba0e3de7dd55a7b03569f78170c2af4e4373245dc8250f217d45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e3db4605d2c94aa7c4e06f8ae0e549b

SHA1
3c1cea73ed8746b4da0d0fad2ac63f2f65c54b07

SHA256
1056c788946fe6988e26610b25b07bc7d426de87cbbbb0403678597114dd1e3d

SHA512
1b5f3a2cb9d200b02a60975d9ceef44c694525049bad99c42866630d1293b190a50994490894086ccf56e8dd04ac89bced55c4e7eaf9fe29b3d26d5d992a6a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88f5296895d6acd8667d6fec69f4b1bf

SHA1
d7e85bd993da290d2a125a1b1fd0828af8357e5d

SHA256
0801144da80bbb041b67c3ab13c6274007081b6545cbaaabf9dd9d35f6341877

SHA512
0e87c787825d794c98680e3732609f2a0b97eb385075241b3f4f60aec65318424e41fd8f7668ed10c4ec7d7d20f48cd1f7f44b3abfe82be5453e21c826a25765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b549ab711238d67c9bc14606b9fd50e

SHA1
944af3c0f0ad34ce4f16a74016ea9389d816e1fc

SHA256
01b3c536f7e11cb1bfa511bd1d9191e99721bcc99fbae94c99ffffd59fb8ffe5

SHA512
c415bc7c826de6445ea4ce9875ac7c0e9e13053d97f038088a88754bf404fd69e8d1744563716e7c31feae7370c0526d7b5139ca86610ce64a445b6bb4e490d3

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
458KB

MD5
1ff4f18d18aa84a2a5d6cbe139d810e7

SHA1
4b29c853c96e340fe1fc3bbac84f26397b801274

SHA256
de8df68281c5071a73545a020a757e079ba3f687a7adc9f6a5464967b83d0751

SHA512
8163dcf69080410cbec42cc846f15cd9acc4b7c7bee7cdc3b8f1f91e5454ff32d196400143ef787efe8b4bb0a31364bc9eec3c6e21eed51dca152192df08a9c2

Download Submit
C:\Users\Admin\Downloads\Aura.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1416-603-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-607-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-609-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-610-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-611-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-612-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-613-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-608-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-601-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1416-602-0x000002D116E90000-0x000002D116E91000-memory.dmp

Filesize
4KB

Download
memory/1536-719-0x0000000000090000-0x0000000000118000-memory.dmp

Filesize
544KB

Download
memory/3376-728-0x00000000004F0000-0x000000000055A000-memory.dmp

Filesize
424KB

Download
memory/3376-731-0x00000000004F0000-0x000000000055A000-memory.dmp

Filesize
424KB

Download
memory/3376-726-0x00000000004F0000-0x000000000055A000-memory.dmp

Filesize
424KB

Download