lumma | hxxps://sites[.]google[.]com/view/projectxx1

Analysis

max time kernel
123s
max time network
131s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-de
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-delocale:de-deos:windows10-ltsc 2021-x64systemwindows
submitted
06-01-2025 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sites.google.com/view/projectxx1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/5920-613-0x0000000000B50000-0x0000000000BB2000-memory.dmp	net_reactor

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	sites.google.com
7	sites.google.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5920 set thread context of 2052	5920	PASS-1234.exe	124
PID 3320 set thread context of 5444	3320	PASS-1234.exe	131
PID 5488 set thread context of 1884	5488	PASS-1234.exe	138

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4de51a0b-1011-43e2-8361-463925a56e35.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250106162648.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5384	5920	WerFault.exe	121
5456	3320	WerFault.exe	129
4692	5488	WerFault.exe	134

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5860	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
3644	msedge.exe
3644	msedge.exe
64	identity_helper.exe
64	identity_helper.exe
5684	msedge.exe
5684	msedge.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	taskmgr.exe
Token: SeSystemProfilePrivilege	1920	taskmgr.exe
Token: SeCreateGlobalPrivilege	1920	taskmgr.exe
Token: 33	1920	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1920	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4188	3644	msedge.exe	81
PID 3644 wrote to memory of 4188	3644	msedge.exe	81
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 4196	3644	msedge.exe	82
PID 3644 wrote to memory of 2156	3644	msedge.exe	83
PID 3644 wrote to memory of 2156	3644	msedge.exe	83
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84
PID 3644 wrote to memory of 1760	3644	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://sites.google.com/view/projectxx1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff84b2446f8,0x7ff84b244708,0x7ff84b244718
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2008
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff772965460,0x7ff772965470,0x7ff772965480
    3⤵
    PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,18289465409849228865,7241223124744262454,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=3228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5920

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dwasd\PASS1234.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5860

C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
"C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5920
- C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
  "C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 828
  2⤵
  - Program crash
  PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5920 -ip 5920
1⤵
PID:6080

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1920

C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
"C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3320
- C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
  "C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 728
  2⤵
  - Program crash
  PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 232 -p 3320 -ip 3320
1⤵
PID:4396

C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
"C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5488
- C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
  "C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
  2⤵
  PID:4300
- C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
  "C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
  2⤵
  PID:4160
- C:\Users\Admin\Desktop\dwasd\PASS-1234.exe
  "C:\Users\Admin\Desktop\dwasd\PASS-1234.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 824
  2⤵
  - Program crash
  PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5488 -ip 5488
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9fc751d5fa08ca574eba851a781b900

SHA1
963c71087bd9360fa4aa1f12e84128cd26597af4

SHA256
360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb

SHA512
ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d9a93ee5221bd6f61ae818935430ccac

SHA1
f35db7fca9a0204cefc2aef07558802de13f9424

SHA256
a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968

SHA512
b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
217KB

MD5
a5357d0335696e49fc4556a7993ec63d

SHA1
db3a49f3ffc0960923644fc3b795d2c9c8002741

SHA256
a521559c834031a85b67fe14b0c0fc88577e9115b953c2802f973e17e1f22a80

SHA512
7a1d1f2c8168bed410e25fdf9db62f62bfca0cfae7105b085d94816ae55d22279beae52d9d5dcdb0e24b31a409e2398002e4b116117fd83242881e026901f057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
dcb913d7b79bd829d489a16d070a3deb

SHA1
41a7770c08daa12bc9efe0d6521fb9c101d0ff54

SHA256
a7e637b316c289c0b00de1eb4d9cb8213376d1ff73fa8d9c968a0b456497585b

SHA512
480108c688f4fc87306c34e7ce062661f49f8c03fd532bac8afcb681336ef7af947b481984e9bc160b059c87bd91183de0285023a01f7e5d79212fb828eaa90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
873f026a45cc7340559e123081a3477a

SHA1
2049f636b291c05c2615ef4c472f449bc1f8009f

SHA256
5a87ad2354a23949dee6811f71a687ebb2b7b5119150757e168a0cdf0283e10a

SHA512
c5b1b5a4e86b5cb22032519443930b6b584bbc2a3e5b887f82f310a2bcc60e3a0c81c437d9085a1dbfcdd412453bbb78a7b8401e4dad862608e013b3b37a035d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
57c08485ba9806e90c9329bba0ec92db

SHA1
6230505f487bf9d5c90305a8e14dfd778388f891

SHA256
e15809e63dc6d841be2432276f65149aa63cba0b0fb39c17d6dc60f281e66ea2

SHA512
08fba0f1b2f9c2eb79a4296cca8ac63b5e722c3e7388d5e951faf15ca74f0f383408bfe846d60533e18ca2041479e0ec929e96138fe34b1d1b9809df6a16227c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ded6a2d05531a28635a0676570c75f9b

SHA1
0e14e8e7e8811932915a3ebe62d7f38d5dcfc893

SHA256
b1f97001ae00f6c55ee5fe0ebbdb09db0110bb6a4bb28cfc45bc6882eec42e0f

SHA512
1ee035745c8faf9b9d30fa2138399e895cb58d7fb99e1548d821a29d35fe29fda07da92d5091333fc64965338bacfc500f50af9003866f0ad35e0950503697de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cdee1470e36e85fb44d2ddae2942e889

SHA1
85cfe568c9e5bb71c32dfe0f72e1cf4feef984c2

SHA256
ffcd1c3889f9eb0b78e4cb31edb5fff2f845e4b5950209e445f58d061039af3e

SHA512
6af3b374f7cb2038bbf59d70257b662c45123ff72d447bdaeee69b45e8f5f7b58a33093ec3e99ff5bb968b96d76653929f28f20e5212e5932f9bcd0251f461be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58acd5.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
518a69b69b5e05b3a816a99f86f383e8

SHA1
a80edfad6cb918bf3f5851a3b6d7996b58461a0a

SHA256
a6f9fbfc40d15bbc94d3bfe522c1266d70a7ea11678334456a07ce12099a1e62

SHA512
ac3ae01393f43cc3d2588601a7cafcc5c6ed62b438c2c4a86cd180f37d89bfa3d3b1f17e81041ce3f4a0e69e2a579ba20f974a300a980cc55ee03c6c287567f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
146a10cf9a79a7e1e3e62198daf28111

SHA1
0f84bb7878408e0c420fd63d7ed1763e0bc7b62f

SHA256
d00eb161ea610b4094f1f55d9c3d2bb153030ec2e8b5173cf06da752226a77d3

SHA512
b490ad18d78d21b395787913aa27d86dfd11293f2ffde7a4021e4471f507c7b5c8eb4bea18572f094eb5ab20a420b9288ba086ee6d0a1c0030e370958850e777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bfb7427ef0a0b47525fb56cf73b6812d

SHA1
2dcd7334001b781ba520f1b5fb7819e8b12cb491

SHA256
94dc32a128a4b95390d052eac4d8b1d08e70f5199d29ea845f7567a4f4807c06

SHA512
305ad9f6acd09042c3e2fd5c69f8ee8102c14ead29db3dcc1a2fc954288bf1a13b7ccf1278ee7e04731c41d06cab7fa5b109f13f414745b884808653687843f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c81978afffe36a22a3055aa64e7ecaf7

SHA1
8e834b232674042c40332a7d52a1b9eddeddb891

SHA256
b5b8b56720d34a627c1d1f8f1a5e68a641feab96d2765924d011c6622decf5bc

SHA512
9ecbf3b8cfbd3d865a0cb749c38c5df089da542b80f3ecb42e2ae95c210ccc19feb53cf17b318651a2f987b385da39e31357d78695511769145304adc7e57cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f9055ea0f42cb1609ff65d5be99750dc

SHA1
6f3a884d348e9f58271ddb0cdf4ee0e29becadd4

SHA256
1cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348

SHA512
b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d3412a01d4c3df1df43f94ecd14a889a

SHA1
2900a987c87791c4b64d80e9ce8c8bd26b679c2f

SHA256
dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be

SHA512
7d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
982736f67a4f12f7076b4c4a089c2789

SHA1
76f25ae82e760e5026e52eb5439140e6bb88cf1c

SHA256
f7270755cc02af79a0629b4e98148e6c79ebde567155e5536534493fc9c93ccb

SHA512
edc309931357a48549e20fb577cffc6c6f72f8965739d24e71f4dc9b8e46ee0c60327e8965b4895da390cada047f57219a5be6f11e25035eceac3638e0909110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584784.TMP

Filesize
48B

MD5
3654c0eeaaa99bdff60f5e8c1e75354c

SHA1
e82abb9900df71a27ee0fad2de1f0e970ffad6eb

SHA256
25a74b0652fa7d7fd40152541e32e82889bedbb273708bfc89419ac01d3fb472

SHA512
587dd0183935a78a4790e28355c840ae7e13afa4d0b546dd5b50289a4d740bac07883c186c58387f7eb22fc37084e9a45fa192c7e91ad94c3db75f45c7a956a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
4c270b1f5c50fda2ecb5eda6707c7031

SHA1
b57f9fd723e968cd9e24102d63adf732b869f1d9

SHA256
a3e08ef04e1d985f2be133beb8538b5c436cd4b545ecd16a76a9feb0488e7866

SHA512
38c6f77cd84685895c64f2dfce5bd37ad8ad70b3698a887309c32da07e7225cacbc867f38445bd805c5e37b418e9c103ae497f2ec9b76c68348f7ba4e1352153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
6acf2d83920ee8cb0a1e61130b01bd30

SHA1
29e1ea67eeff2bd70de8f1f1ae4bf6e09ab2b1b4

SHA256
cefa08609bd919bc8b594d8a94b0544e1c4c2bf6c8f898fb5ba9f9d54b0c3381

SHA512
608c03096c362f5b477ee3991208b9553523c6ad8b882faa8cd92571f12b2e9fa1d6abe162bc6166df1b612a5e95d463cd1d97e191724884f6a233ed391afa12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
7046fea8fb49f2867ccbf4fcf5ce4dbf

SHA1
d5c2f98be7c568cad00fd71211fd050b5e4ac6bf

SHA256
698f6e7cc75f2ec5521519fbc36dbb809492d04059b6707eab333372833f019e

SHA512
922f5debf65c49c4d82fb6b9244c99aa36fc7e57489d8cf6862e61559a05b4994dcb9355ef1755d1d4501d73973435e453d5fc9197cd0dea71531bd675f2468b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
0b3b3fb0b5bfc2b29a4a2ac5d34a8e19

SHA1
7b38392fa9b8a9fe8941019d9483e5060017a928

SHA256
530c5a04b9ef49df7b2355fb000cff5bf802b3e5123c84addfa9f4534cc8dec5

SHA512
085af4c860dd8b51ab22b0d1c370ef25e368437562264fb348adc5197237af05c0d12bd2dedf10909d744a107c12b4d6792cdbd2c4b92c1118a4d150e4205bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5804ed.TMP

Filesize
204B

MD5
ae052e42b2f8fad3b5cf03bfc4dc1991

SHA1
c7d04ce6389d97951ac04b04b1c2f6cd9a10b0ca

SHA256
31b0afd36cecf18cd3cabe8996586e2390cfc11875c5feee5b9d1d6946f67b74

SHA512
d88561471fd7cfae5ab19abd08edae18853720a8574cf276260de2e0253d2f6bfe4aa9e2523dac896aa31acc7c8f6346a2071c7564e2420521190fcefd20b4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c495e4410b207a51473fa133bcc892ba

SHA1
dd29ade56c820e899f668b399b4d0b5699021eb1

SHA256
1bdb02ac66b8945e232dd47d070fc72ff1c31f63e35becec19e5f879d7276a01

SHA512
cafee435d551e6df1a8f0a3db56a5858211a9151d97447be9c1113ddfa8a2021172b4ea1910ae5c75ad354af62e9139fe7a7b94469e3e0ee8a99a36e69e11ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eb5b24bb1d04fcf883a8b0bec52d3675

SHA1
5fa34aae777f21cdd6118b884811d4bc17a2058a

SHA256
0e538edb8e1a887720ff719d8dbf50ceacf88e87b7d8c920185c3456c4a99b38

SHA512
3576e9eeae47f743cad3bab47b0858793e2b19f103d4122b410c3490237027b2b5ca466482528294290f31064515182842ac31d72ac0629cc60163713e6a354c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
97db5ffbc9ee500fe1f769ad7669c32c

SHA1
5409eaf478542f459f8d5c9f85a9c6138d4e67c9

SHA256
6f6bf24a4d4b27603b3c04e3de949fe4bce471090677a5bc36263a31f2355b63

SHA512
a89ec28e811d5bf012b8e029610e088ce0d2e3801f972d8ed32ef892f48e6397962cc7becc1612921e3a0e57bc35c7db32c05b590988bebd994e8a4bd9eefd98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5195f289bd7d819ce285dbc0820105e8

SHA1
0b0541c101116b1e0f7c798f931495a89ae0686f

SHA256
c8c80dca672b783935a17f62ef9a56c2a9086d1ed62c0da2dc5c49b55fe2ab4a

SHA512
b5352e47ee8e30138274814041f328b1c9bb358201e6e2d8075051b19ab3ff05e817032f17539fd6bab44b239069bfeaf80f13c5f3c5aeabfcc44412d62560b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
241e3c051c2b31a266f5619a20065b5e

SHA1
1734e650533e14301d3f2982696c0a3247f2e26a

SHA256
57c9c5a551ae96c9bb388896745f46f9bfaa1c3715a48327aaeb432e1db087c7

SHA512
963c393dcc3a645b0bd09f3298ab1318677578a3bfd0d132ba0a99933809a89763d4d8f9e90974326678a59fb9b0efd5bcb3bca44dcb36ed850d390845eff247

Download Submit
memory/1920-629-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-624-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-625-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-626-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-618-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-620-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-619-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-627-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-630-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/1920-628-0x0000028C31FE0000-0x0000028C31FE1000-memory.dmp

Filesize
4KB

Download
memory/2052-617-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2052-616-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5920-613-0x0000000000B50000-0x0000000000BB2000-memory.dmp

Filesize
392KB

Download
memory/5920-614-0x0000000005920000-0x0000000005EC6000-memory.dmp

Filesize
5.6MB

Download