lumma | hxxps://www[.]mediafire[.]com/file/ltemareyq1pmqgy/#Pa$$C%C5%8C%F0%9D%94%BBe--2275__OpeN-Se-tUp@!#[.]zip/file

Resubmissions

06-01-2025 06:20

250106-g34sxsylbz 10

06-01-2025 06:14

250106-gzlg6s1kbq 8

Analysis

max time kernel
163s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/ltemareyq1pmqgy/#Pa$$C%C5%8C%F0%9D%94%BBe--2275__OpeN-Se-tUp@!#.zip/file

Score

10^/10

lumma discovery persistence phishing privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://swingybeattyz.sbs/api

Extracted

Family

lumma

https://swingybeattyz.sbs/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Downloads MZ/PE file
A potential corporate email address has been identified in the URL: #Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#
phishing
A potential corporate email address has been identified in the URL: #Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#.zip
phishing
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
4044	7z2409-x64.exe
2792	7zG.exe
1792	setup.exe
3660	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
3632	Process not Found
2792	7zG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2409-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 522379.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4132	msedge.exe
4132	msedge.exe
1484	msedge.exe
1484	msedge.exe
3096	identity_helper.exe
3096	identity_helper.exe
1656	msedge.exe
1656	msedge.exe
212	msedge.exe
212	msedge.exe
1792	setup.exe
1792	setup.exe
3660	setup.exe
3660	setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2792	7zG.exe
Token: 35	2792	7zG.exe
Token: SeSecurityPrivilege	2792	7zG.exe
Token: SeSecurityPrivilege	2792	7zG.exe
Token: SeBackupPrivilege	2852	svchost.exe
Token: SeRestorePrivilege	2852	svchost.exe
Token: SeSecurityPrivilege	2852	svchost.exe
Token: SeTakeOwnershipPrivilege	2852	svchost.exe
Token: 35	2852	svchost.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
2792	7zG.exe
1484	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4044	7z2409-x64.exe
1292	OpenWith.exe
1792	setup.exe
3660	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2308	1484	msedge.exe	83
PID 1484 wrote to memory of 2308	1484	msedge.exe	83
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 1028	1484	msedge.exe	84
PID 1484 wrote to memory of 4132	1484	msedge.exe	85
PID 1484 wrote to memory of 4132	1484	msedge.exe	85
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86
PID 1484 wrote to memory of 4916	1484	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/ltemareyq1pmqgy/#Pa$$C%C5%8C%F0%9D%94%BBe--2275__OpeN-Se-tUp@!#.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcad9f46f8,0x7ffcad9f4708,0x7ffcad9f4718
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6920 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,1015347761195438786,4571876084857430772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Users\Admin\Downloads\7z2409-x64.exe
  "C:\Users\Admin\Downloads\7z2409-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#\" -an -ai#7zMap13613:178:7zEvent5934
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2792

C:\Users\Admin\Downloads\#Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#\!Premium--SatUp\setup.exe
"C:\Users\Admin\Downloads\#Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#\!Premium--SatUp\setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Users\Admin\Downloads\#Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#\!Premium--SatUp\setup.exe
"C:\Users\Admin\Downloads\#Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#\!Premium--SatUp\setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
88518dec90d627d9d455d8159cf660c5

SHA1
e13c305d35385e5fb7f6d95bb457b944a1d5a2ca

SHA256
f39996ab8eabdffe4f9a22abb1a97665816ec77b64440e0a20a80a41f0810ced

SHA512
7c9d7bd455064d09307d42935c57de687764cf77d3c9ba417c448f4f2c4b87bcd6fea66354dfe80842a2fa3f96c81cc25e8bf77307b4ace1bbe1346cbe68435f

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
c4aabd70dc28c9516809b775a30fdd3f

SHA1
43804fa264bf00ece1ee23468c309bc1be7c66de

SHA256
882063948d675ee41b5ae68db3e84879350ec81cf88d15b9babf2fa08e332863

SHA512
5a88ec6714c4f78b061aed2f2f9c23e7b69596c1185fcb4b21b4c20c84b262667225cc3f380d6e31a47f54a16dc06e4d6ad82cfca7f499450287164c187cec51

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
696KB

MD5
d882650163a8f79c52e48aa9035bacbb

SHA1
9518c39c71af3cc77d7bbb1381160497778c3429

SHA256
07a6236cd92901b459cd015b05f1eeaf9d36e7b11482fcfd2e81cd9ba4767bff

SHA512
8f4604d086bf79dc8f4ad26db2a3af6f724cc683fae2210b1e9e2adf074aad5b11f583af3c30088e5c186e8890f8ddcf32477130d1435c6837457cf6ddaa7ca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
55f3a3cb84fb942a4c0fdfe7c5df1d02

SHA1
473999e3146ec70fc4eeb3509dd70f7337459edb

SHA256
9a63049bca0753d0a924327db663617ac048fa1bd0de18c9383ed2482722d3b6

SHA512
4399b1c3beb51d591b0689d9e7c5c9c6a083fbd3b7a116410fae0ba778d9a012dac56b572e4faad71dbf9bfd415a0324c13cab05e2499a7cf492667ad34e003a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2e2ecf87fbef718a76e89ef05a49d898

SHA1
b8c116a3e465c72debe74ae4522ffd3e631cc49e

SHA256
95f166971b54aca35744878cf7946b1f85b600f66aa263e198a77847731cfd4a

SHA512
e71e1c69c3d0ba991aa8b9cdb87491fe24e1cd437f57edb2b440d45a84bc0b2e68966fc3e8e42382f2e805661171d7a25c0f992b4887c3530759484fb69f88c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a09ac612e80a2dbc7e51af454591e928

SHA1
ea4818faf00e959a162a9e6520110d397a94454c

SHA256
796ab0234512de0d34dd5ec57fb8b5831d6961b3e129ff954a183a2132d1b830

SHA512
4291b4aa52320774d9a2219807c05388e19abfdbcb31c096dd16a7a83e7269e36afa4cafa7490c0fbb68c254d8a27466712a9192164b3dc432cdd748acc07e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09e5f9447370c56cbc1f4a0bc6176535

SHA1
8f0aa8be7ec7ec9d6660bb5417c4104f9866841b

SHA256
5e3ead1c7f5fa5890baf3ef377b7234f188eef326836b1ad436a50bb9bb70087

SHA512
909db96cc000fec92a92330a626014863de5d7c277d6ec0f5b520984daa49c018480f89dd1454cb3175714e689065f91cd49077fb9627a6adaddb91983a948af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
34bbab180afef9bce4db3e0ffe074fe3

SHA1
814fbf99a14fe3d776a98834133ac1a3d5cd8cad

SHA256
060d1b48a8f3124bed206ec4a7b7948e130aa1adc3cb51cf676107b7ab993a38

SHA512
c24016dc6f2cccef8f3739330a34363cc0a537998b2131aa4c01868c735cfa087383b0f4eab823b00d71379de51e8a7377ddc35c19273da47d3837a077b093a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
39c61d16f2fc6fed0a8678b6a9b082be

SHA1
69ff38d7b8ae36ddfdca626d7fa79e899bb9dd8d

SHA256
fa5baa185f228d5888c2785115f76c1e9bd75f7d6825a2a69a97a1c785d6b206

SHA512
c56d936e2e33852c08f3455c3bddca8b69b9a444a28cf1943d809ce375ed01ba5ad0f3bb4746854b9c58a9cdf411877f24c0cc049bb66e387f4fb95173f220f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
01dadd0682a66e2051d14fe2449a9862

SHA1
61123805a4d0034a75da5c02f402b6d3cc6dde3f

SHA256
a72bca6aa2f7350d1c3e2e81f199a4561705e12b914f9f76f9465b96be64f144

SHA512
ec6e39d8f009f57da08a5e702c04c09fa7776e524a30367ad580d8f520118e8f0d277db3712187d297f71ecd8d6a1912f26e6df61e5ed1eda4737a801f3dee86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1f48a8d5b1e05c423b168a29f8029c6e

SHA1
24806bf2cc15264252460eca8cd3c1b99b0ab5e6

SHA256
8f78b1b058ac4386b8594229d2394ba99626070900c2064f499697e7c3461932

SHA512
568b723649070db3cd8e299b07e57ef698de321267c376faf3ad6f02dafadc0aa1bcbba703001c010d830175a58ea87743fd87872175a226fd8237e56e693e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1a57e0f6aa374fd344a18262e9b5e39

SHA1
6f3128cddab1920cb9c3e7431c3ed50285631e87

SHA256
c1d9d4aa286bc90dffd54c1957ed6fa581de3a0b99a07c5e5bf83d08c409507d

SHA512
43c95d9d772b1557a4346293513daf0b81f9cb1443c122a61b61ac6f500e9417f3f6210dab81622374b58a314869c55591b1d3a280627fb2f7499d8de2fc1bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582277.TMP

Filesize
703B

MD5
89188d016a0cc4fc102e770a2ca19f6e

SHA1
884dabb213325256734a3ba75172df9e3a120270

SHA256
91b55ee3692f1b416fcd0ad6b3e62ea80e3a76d3f3f1bc628ef3a441687bc5a8

SHA512
904bda091b28adcd5d1d8a1182b4413938ae66e5c792f23ef481db2924488fb76ced702ffeff79a8344a607743597b330a5de10cf793f53edfc911530c7b1c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
66b6f8c742a540dc673b94f5351cd845

SHA1
f0c7257ae06cac7247d0ffdc88638750c4504c3e

SHA256
b5d6ce92b532e7b296bf977a695852849e598b0824e76ba0beec8b568179ad38

SHA512
f2d1a3f06a91abcba3c1833f00ad3dc65f55aed766f348bfcbc1fb64db6fc6738b8d8703ed1f5c9312ddd6de6fc133465eba5ba46636d5eb29dc04048565dbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b95c52d21e016400f209c5e104d94404

SHA1
b978b043bde5ff5c8f093cd07b826a2b375f632f

SHA256
3af496f452adcd9c38ae7e05d9b51a64302508b04c1f700b1e30cf4ec725071f

SHA512
f431cd307bedb44ec519ab9779827820a2f5366b887d2c8d0771e41421aeb40ca527c5ac20895195d70073229cb1c4f103716922a1fe15cce1fea9b0a2048b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2af4244168ae7d5fc72e4e6c4015884b

SHA1
1c72e139390392956779522f97074d8621fe88e5

SHA256
b8bcbfab588f482d8d1740afb30c8b3e6f7da4d37c436f6bcf5e9190dce007c8

SHA512
e11572f4fcfd91867e28e187b22825a93fdf05e1ebbd11c3cdc0835bfedca5955c9a14b7033176b7a1c2c1578ad74ae0b0ca64b0622e9a9bdbdacdfec38bbd98

Download Submit
C:\Users\Admin\Downloads\#Pa$$CŌ𝔻e--2275__OpeN-Se-tUp@!#.zip

Filesize
5.4MB

MD5
e03c9ea1c772760057fe7b1a6fcb2d53

SHA1
535b0866580cf4ab6a2ab91f88f7b4e7b23eba5a

SHA256
31a6d9bfa15c7fac1d47a4ea4e54eacc15820db59060d67d0ae0536af809f66f

SHA512
6bef384ed153c896f9fd79761a4218d37bfdf938167a4af7941395039df5e60241d46775cf41c11d668768501ae85eb47e138b3e4568f3ab840e6ba286fae35f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 522379.crdownload

Filesize
1.6MB

MD5
6c73cc4c494be8f4e680de1a20262c8a

SHA1
28b53835fe92c3fa6e0c422fc3b17c6bc1cb27e0

SHA256
bdd1a33de78618d16ee4ce148b849932c05d0015491c34887846d431d29f308e

SHA512
2e8b746c51132f933cc526db661c2cb8cee889f390e3ce19dabbad1a2e6e13bed7a60f08809282df8d43c1c528a8ce7ce28e9e39fea8c16fd3fcda5604ae0c85

Download Submit
memory/1792-566-0x0000000002870000-0x00000000028C6000-memory.dmp

Filesize
344KB

Download