lumma | hxxps://www[.]mediafire[.]com/folder/nwx2eunpfvo9o/Setup

Analysis

max time kernel
297s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-01-2025 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/nwx2eunpfvo9o/Setup

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001900000002adba-1122.dat	net_reactor
behavioral1/memory/2472-1309-0x0000000000900000-0x0000000000968000-memory.dmp	net_reactor

Executes dropped EXE 3 IoCs

pid	Process
2472	Meta.exe
3756	Meta.exe
2804	Meta.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 3756	2472	Meta.exe	121
PID 2472 set thread context of 2804	2472	Meta.exe	122

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	2472	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meta.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Meta.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
3024	msedge.exe
3024	msedge.exe
728	identity_helper.exe
728	identity_helper.exe
3004	msedge.exe
3004	msedge.exe
4672	msedge.exe
4672	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2020	7zG.exe
Token: 35	2020	7zG.exe
Token: SeSecurityPrivilege	2020	7zG.exe
Token: SeSecurityPrivilege	2020	7zG.exe
Token: SeRestorePrivilege	1508	7zG.exe
Token: 35	1508	7zG.exe
Token: SeSecurityPrivilege	1508	7zG.exe
Token: SeSecurityPrivilege	1508	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2480	MiniSearchHost.exe
2660	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3032	3024	msedge.exe	77
PID 3024 wrote to memory of 3032	3024	msedge.exe	77
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 1344	3024	msedge.exe	78
PID 3024 wrote to memory of 4856	3024	msedge.exe	79
PID 3024 wrote to memory of 4856	3024	msedge.exe	79
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80
PID 3024 wrote to memory of 1444	3024	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/nwx2eunpfvo9o/Setup
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff82c083cb8,0x7ff82c083cc8,0x7ff82c083cd8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6640 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2575882353704950710,15091172942150827048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:1464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2600

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Meta\" -ad -an -ai#7zMap5337:70:7zEvent9702
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Meta\Meta\" -ad -an -ai#7zMap16193:80:7zEvent8287
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Users\Admin\Downloads\Meta\Meta\Meta.exe
"C:\Users\Admin\Downloads\Meta\Meta\Meta.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2472
- C:\Users\Admin\Downloads\Meta\Meta\Meta.exe
  "C:\Users\Admin\Downloads\Meta\Meta\Meta.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3756
- C:\Users\Admin\Downloads\Meta\Meta\Meta.exe
  "C:\Users\Admin\Downloads\Meta\Meta\Meta.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 828
  2⤵
  - Program crash
  PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2472 -ip 2472
1⤵
PID:1800

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2b855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
27KB

MD5
6b5c5bc3ac6e12eaa80c654e675f72df

SHA1
9e7124ce24650bc44dc734b5dc4356a245763845

SHA256
d1d3f1ebec67cc7dc38ae8a3d46a48f76f39755bf7d78eb1d5f20e0608c40b81

SHA512
66bd618ca40261040b17d36e6ad6611d8180984fd7120ccda0dfe26d18b786dbf018a93576ebafe00d3ce86d1476589c7af314d1d608b843e502cb481a561348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1a24f723785f91661ba766a8fc299edd

SHA1
3200b9f8306b146856089c27ecac5ecbd099f980

SHA256
a8876efffb11ef5da0e74c46af6b98b6c25a5762fd1f88c7f06d14e40a09b916

SHA512
66c1281e41a4c59c66833e7ed6d35157ef32f491bab9501355383c9ae9ba651ed3bf071fbad14afd7fccba5b012f056ac4c396811a42791d596a2a8695afbb32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8c7572fb68f9a30b68a1ed0ca7bf54ac

SHA1
f084c8a326094b5c2c20ac369d9aa32b7aac79eb

SHA256
e03474df90050047f1f6afc309faa5adee9a821fcd86b28c2dbba8afbf6a83c8

SHA512
ea83b794eb9134c8685c05257c14b660ca5a11dce37548e9142a5f1712dba1839d398b7d7b1d37e7bc1695623f525403f1f0d88b37296d449047aeaa7c377eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
409d9c37b6fd56271c1c3e976ec601d0

SHA1
43859a6db50a16c81eedfd9b85d425cb9c62d5f1

SHA256
3712ae3d633183f2ab813f3ecad14c9d3df4f64ebed42217353f0115b5c5122c

SHA512
a0a256cff409199b71cdeeb3604daf05412d00782b205262a1e5d8d5c1031801ffcb9d108b4616eba6cdac12d836b5e45a750e9da139a395294cfe7c5f02a469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
37c41374cde8ff18257af1b724cf7b92

SHA1
700b58d875ed1d652af5ce7244729bc2c5926dc6

SHA256
51c2d542d293a1d929a0518cbdc1744b6002f8aa9c8903dd45b20a4ee01da030

SHA512
43546f7bf9e1013813d73aefeea165af428af654f09b7b296e0aee9a98bdfe0c5cda9891c8f9977fae6303f65ced386532755c2eb0115b3abc7025c7f83ad766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f1bfe19b789eb7b627628f84c6c95b44

SHA1
ffd3b3d8c14a1cf3a364d330048b9d4800a1b54b

SHA256
e46e99eaa1d404f306dac109ecb4c78b53d5bc72d91b172415c8c5a456d8884b

SHA512
ec53444baad595edcc1da01c95f482d7295db9e696d376d9bf854f4b6d83e4e747a03728cf122503118e348b687264a6ff04dba499bf186db83e9ce6b994e7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e1c918909ab5983d94d01f795ff3c574

SHA1
9cd6e109c823d39cf09fe1bab51a8bf84f1d572c

SHA256
2e7082bb14b5d3c0701be9487cf82a91baa93bba642991adca2241532e38749d

SHA512
2d984e0e1a63c68c7502a86fa1f44ec56e69f6f2751978cde7c069b0005dc71ee09bf01c121c458b6fa0e741b91248a2e0486ae100d04f884daa586d810f08c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4bd461fb741a27999cdb33c1f3855156

SHA1
7accf1d395bc4abaeb8a0cd0800f209f46f62c83

SHA256
3ecf429b625ef9870bbd02f5dce9ea9e3ef6fced3b7a7c2c31f41c45fe5bd024

SHA512
c2c49688c89a42d5dc9cb33d63e00ee6c04f8a8aadf24747a1ff69f7c7f9c21a5419f5e0ef30cbf2175b708e58f263edbb900a30e92bf7b5a7b44524b4d00e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
8e8973bc420d2b547e2b3242f82797d6

SHA1
4786e917db216db0f1b94a432fea8514b90f2ce3

SHA256
70fe1ce2188fdafcada79257ece9bdb68a6fd4c47b1a3ee1951662a7751ff9c3

SHA512
8970c606fbbd7dc0f2006bec209bbf7c118de400a5c0d9a5337a04688f917423beefee04ec5c2feac4736862320456a29431fcc0db37094ca982ad31d245da0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
268554e7f05d64ec0900c8a75254f1e0

SHA1
79cb139a99ede98bac06f693f77efb6df4ba9546

SHA256
4a8b7976fed7f3598094251a0c9203184a7074694d5ed1af3a69dd779d5f450f

SHA512
ef1bb819c1eae95f6e02429750d3fd52b0c2b962fefddf95d2f04a3c85c000428b67f87811e55ee5a17b51a65511019797e3d4d77aef854be74b91191a9de081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4fe240dc03f03599d70c749a7ef2631f

SHA1
63c91d5725cddaa8b9baf28331cfbf5104b16de9

SHA256
9df5850ada4d5de935a3a3f10dd2e1c7655e3d5d654a38ab0ab384d935ac90b4

SHA512
08c7fa16338c61d31a84d46719a40993070fc030c3bd61449c13579dea27919eac0cdff7c7fcd453e3e71cb9bd9247a6c7d3d783f63238b0cc68dfdb3f98a42f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fe84f4ff5b43163c838b7414adb23ddd

SHA1
c95b712338b9ed7a8c86efeae4bd08c9fb3af9ee

SHA256
28b14e1a638112c76cf1b08e866a74bf2b32ae51dea0d2b7efec6b4038df645d

SHA512
6582d9614bd4ada082596421fddc8b75e5b78f992410238a8cb895f2a9b1fc64870fdb6412f7d7c01f50a984469be0a98851523b287f9153a39550411b3232c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2bca74922dfc59d2ca7244c2e55dafa

SHA1
e7951a54d7881898dc18a7b04a5971cda25742bc

SHA256
2fcfdc6e0cfb3052255df25a8454d3deeb66d0cc4875c1f839c6f23d693a4c6f

SHA512
277c5acea971330fc4f1d51de36f0778c9ef2bf0ec87a79d116e96fed549744d3e1650ff3a8b48aea1fef9e2b23bf677d74adc2c5b2972bd2d7de3d023e03f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dfbffaf9950a8120656987077d3be594

SHA1
6d99c6a631a37ecc8f20415cb2a76c4ae2edc39a

SHA256
d7e3969f78004473dd8ecde82b2b77e429f8b93354546f7438847996ccc0e0d6

SHA512
9e33ef8a396d746da3734e57df4eb013d1073f90054b0aa59684368a156ba0f776430dc9e4c2d0e9396ca5b8a9b8560c53a12fc02f410405413a9be83f188602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ec34eba2ea224875fe3821258d7eab1b

SHA1
ca1a2f346ff186e59a71976f8a527254a5def50c

SHA256
3da8f268260082fdf678d031eefd8742e353bad1ca9229bc8d738c8f22acf4a0

SHA512
d366a7378acdc1f0bef9b6ac147070851ea1b28554421bc82445f4f034b8aaeace569e3c06efabc951cb8ef66048c78e897cf79a21678de5c7e55505a7851291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
eaac64f1c64008d973b640693d533371

SHA1
068f7acde08264feac01f1d19f52b1050ac57438

SHA256
527ee019f1f47543bb2a5ee54356043a6e60cec7b96589bf5bdad8a3f0e5965c

SHA512
ef27c414c5ae03f9378c4ef40a2e62dbbd5b76384cdc3ec39b85d508550d361a6ec6e74ddc6818831a8ab4c7f8bc921ecb320b43138b7193624a0b75715d3453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a1f8f.TMP

Filesize
48B

MD5
4ee7a5245eea29b969e58319e0cf3c3a

SHA1
b88c89f47ccd31f65f2b233883d96c607a91ea86

SHA256
9af7582c81b2cffdaeefadd6b3936a0875d1e07976eba6c49079dcf173c8d22e

SHA512
785ca97dda4da927bb01fa07ddf5359135978ff671e08fbab63e96ae855c013340da38b0858c13f223965620b69cd3ecf2a76cf66b267af44e029167741f1243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07cd914e4cf3b5c625eb28d3dcdf533e

SHA1
7d7a4f031adab86505e4919e1c1d2227af1df1d3

SHA256
b9aa3c8a850c1bf048e5a5715d6be632136bf8a24821eacdecd36ed8791a1e71

SHA512
6ad71a42d000f0619e233ac9fe0cd93c7b51cdf97e9860ef1bcd3cdb0e6767f041e395517b46915fd46d0715898cdd54946b04010c7dedd4764700c36944ac0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9df7c5d08a9ff18653869e8254ba9dc7

SHA1
471caeac6e46fd5901d3f962525b1947dcbdbf0d

SHA256
a13808703a0cd380aabe4d530ee31f9ace4ee100f70b90802e793e8f6d3c0627

SHA512
c1ba28a202d0104245848a158233f88a00aa2575154bbcb26b6472232843f41175724695dbdb5fd9d755226d80de43a86c2d12894cdf83f2c34f8f164824f289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5832c3.TMP

Filesize
1KB

MD5
6ef82d9b6fd2790b1c2686f15b7dabcb

SHA1
26c9410c5b47da74f80c368a6f262928124042f0

SHA256
e72283b1eb3cddd2f25a75421a421305ed658391a218d8c9e71cae46a70a9127

SHA512
d46940d5609911dce91be70e690d0989cc84fab0a9d320de211d829a39299e63a7ab969c33eb2a7fedd895f19fefde40aba10c749ec29af3d66d60748685d3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
945cad3be579b2193cd040791408dae4

SHA1
30c97feb9793919bd4426b6b2a228c52852f253a

SHA256
5c4ef30cd0998a17ae62d0deb0199e2814859e68db1d138c9ad50b0c642cf800

SHA512
7b37340a551dcbd0d568053619dc93154b0f67054d49ebe445dd80ce129c39f638dfc758c0e994057ca1f5e3436f25ed4984d4418f28e8ca00ab75eec32fae61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
54a4d22719c57b7c649f574372dc25f4

SHA1
46461e88c43c62fdaa007d282c0f63b454c54dfe

SHA256
ea6638d8d7dd16a77d6e14e13f73da4903cfcf96da26977cf5d4dfaab867143c

SHA512
5901ccff3d88277afd9b763bdab4d5568d6b8bffd945828c474208c1246dbf9a1be3bb69ce04ca9881d01d5365003ba830c6efe006bbb419a9b7ce5c3ac2004c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
34383147bda07cc82702b38072d8c150

SHA1
d48ee53a8279372c80194910e08dfe08eef29ee3

SHA256
ad24f7ffa6ffb5ff1be6b813d36d5eab1e58bc8e8ab8ec5ac267b688bedc2de4

SHA512
a1e1a64e9ebcf7fd7b34e42732660ba9f77b182bca29545e3ac43b763bea8862e2fff0a96c8c9a87aeb7cdcd6373d523d94a710b34d886710ea8148fbd7f7b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f23ea998e4e097e3ec08ba0a3a74b9d7

SHA1
ee9d7db3ffefd9eaf1305610bc10652bc8a2b9e5

SHA256
5d86cd411f447e22ab799072391dff76b23073a06fd8415bc7620cdcc109194a

SHA512
82c380aa7af403496441e1446d6186ff0ce326f90fd8b3cae325412a5218b98e44e21ef774e910b67dbbddecfe84e640f40aee010741e8b123f0de0e3cc86e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a9fc2012eda242d98d09e2b30254d3c

SHA1
455aa57513296c58dd3cde3374515277bdb0457d

SHA256
3f1808980e0ac42f9388ed0ecb72ba132424144a718ce5bec87f4f0c79af0628

SHA512
42798db00aa42ab7f37da7dbd2b66d4a62452d23167c3ec70e902d58f1a8e5d70fa2789326dde7718b450750f4b2f8d133d512b191ad39305bae57e129ee2006

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
76fbe77cbc68f3bd5f0decad25775716

SHA1
2ebc2dea0b2224ea73fb5413d94ad38218122bf3

SHA256
8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6

SHA512
1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230

Download Submit
C:\Users\Admin\Downloads\Meta.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Meta\Meta\Meta.exe

Filesize
392KB

MD5
f1fbbf5e9a18fd1108600a7980d1817f

SHA1
90512fb4835141b6d502fb6b83a75c4b84c5cac5

SHA256
9ce08cb43fec662eee28d8079f9d6ba33415ad921649a9612dc9abd82a0a82f2

SHA512
2923de4582fb88bfea00940b47bc40d46caeeae1dedd333750efe65e319049f6268ce5d90f7467be9b1aeec23ccbe5732dc3ae8f19781cbf73ead3afd2bc9467

Download Submit
C:\Users\Admin\Downloads\Meta\Meta\app\cef\Cache\f_00002002

Filesize
1.4MB

MD5
06934cdb323ec752112189059a42ebf6

SHA1
70eaacf4c144b512f55b9da0acffd1da97516d3d

SHA256
9b83f37545b7440f1e32994e66bedd6900519dd74f4cd5dca10defad530d70e8

SHA512
c0473f8622673d410f6a70943ad0f46dae04aeec87b4fbd288c48c9665cdabbcf370ff228bff67b42a8766e856c50ca8411b4c6167e3bb0ab7252eb9878793bd

Download Submit
C:\Users\Admin\Downloads\Meta\Meta\app\cef\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Downloads\Meta\Meta\app\image_cache\FF01A9D9734032C3B3A3F1EDC88A4D5FB939805F\lgctray_110886.png

Filesize
108KB

MD5
e48bbd1cd527e7100fb09cc8ad4e0079

SHA1
a61374f70ea747940469f2db2d643f4ccfbfe0b6

SHA256
8ce2ac5f453559cade50a913a3cf968bbe7dbbd2e1964c8e2225377df4f3ada4

SHA512
5d062f12c526c45f39d1c6c41fa0bd30326a76afabd4c7addc37ca974271b1e6894c98e5a1890b5ad44991cc5b2d44df8364b581d3ae989839d3e05787ac102f

Download Submit
memory/2472-1309-0x0000000000900000-0x0000000000968000-memory.dmp

Filesize
416KB

Download
memory/2472-1310-0x0000000005980000-0x0000000005F26000-memory.dmp

Filesize
5.6MB

Download
memory/3756-1312-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3756-1316-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download