lumma | hxxps://www[.]mediafire[.]com/file/nh5sdi2077fg03p/!@Set-%F0%9D%93%A4p__6649--!P%F0%9D%95%92$$w0%C9%BE%F0%9D%93%93##[.]zip/file

Analysis

max time kernel
149s
max time network
132s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29/01/2025, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/nh5sdi2077fg03p/!@Set-%F0%9D%93%A4p__6649--!P%F0%9D%95%92$$w0%C9%BE%F0%9D%93%93##.zip/file

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1036	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133826397103697746"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2580446533-3148764140-1073334258-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2580446533-3148764140-1073334258-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2580446533-3148764140-1073334258-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
2944	msedge.exe
2944	msedge.exe
1756	identity_helper.exe
1756	identity_helper.exe
5444	msedge.exe
5444	msedge.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1036	setup.exe
1036	setup.exe
5564	7zFM.exe
5564	7zFM.exe
5412	taskmgr.exe
5412	taskmgr.exe
5412	taskmgr.exe
5412	taskmgr.exe
5412	taskmgr.exe
5412	taskmgr.exe
5412	taskmgr.exe
5412	taskmgr.exe
5412	taskmgr.exe
4976	chrome.exe
4976	chrome.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5148	OpenWith.exe
5564	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
4976	chrome.exe
4976	chrome.exe
4976	chrome.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	firefox.exe
Token: SeDebugPrivilege	1248	firefox.exe
Token: SeRestorePrivilege	5564	7zFM.exe
Token: 35	5564	7zFM.exe
Token: SeSecurityPrivilege	5564	7zFM.exe
Token: SeDebugPrivilege	1940	taskmgr.exe
Token: SeSystemProfilePrivilege	1940	taskmgr.exe
Token: SeCreateGlobalPrivilege	1940	taskmgr.exe
Token: 33	1940	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1940	taskmgr.exe
Token: SeSecurityPrivilege	5564	7zFM.exe
Token: SeDebugPrivilege	5412	taskmgr.exe
Token: SeSystemProfilePrivilege	5412	taskmgr.exe
Token: SeCreateGlobalPrivilege	5412	taskmgr.exe
Token: 33	5412	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5412	taskmgr.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeShutdownPrivilege	4976	chrome.exe
Token: SeCreatePagefilePrivilege	4976	chrome.exe
Token: SeDebugPrivilege	1016	taskmgr.exe
Token: SeSystemProfilePrivilege	1016	taskmgr.exe
Token: SeCreateGlobalPrivilege	1016	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
5564	7zFM.exe
5564	7zFM.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1248	firefox.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1248	firefox.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5240	AcroRd32.exe
5240	AcroRd32.exe
5240	AcroRd32.exe
5240	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3200	2944	msedge.exe	83
PID 2944 wrote to memory of 3200	2944	msedge.exe	83
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 2620	2944	msedge.exe	84
PID 2944 wrote to memory of 1172	2944	msedge.exe	85
PID 2944 wrote to memory of 1172	2944	msedge.exe	85
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86
PID 2944 wrote to memory of 1184	2944	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/nh5sdi2077fg03p/!@Set-%F0%9D%93%A4p__6649--!P%F0%9D%95%92$$w0%C9%BE%F0%9D%93%93##.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb153346f8,0x7ffb15334708,0x7ffb15334718
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3060 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15662348054374314545,1031188697392263833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:6044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2208
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 27175 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85de20fa-bf30-440d-bc6e-51313a256075} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" gpu
    3⤵
    PID:2888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 27053 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d388dcd-61ec-4ef6-a5d5-395851734e1d} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" socket
    3⤵
    - Checks processor information in registry
    PID:1076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bb8faf7-33aa-499c-9798-5daa55cb1d34} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -childID 2 -isForBrowser -prefsHandle 1232 -prefMapHandle 1228 -prefsLen 32427 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1104d7b8-c4d9-4041-aae3-4556bd54838f} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" tab
    3⤵
    PID:3216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4664 -prefMapHandle 4660 -prefsLen 32427 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {085a6fd5-c1af-4d6a-8e4b-4307605f3622} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" utility
    3⤵
    - Checks processor information in registry
    PID:5588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5384 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3da7a3c0-7e9c-4184-8a44-f5bc36b570d5} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" tab
    3⤵
    PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba3ec739-0aed-4e88-a818-46250dff5c65} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" tab
    3⤵
    PID:4468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b74ce3c4-2146-4643-a134-a2f769bbfd77} 1248 "\\.\pipe\gecko-crash-server-pipe.1248" tab
    3⤵
    PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5148
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\20c27bfc-7625-4ccc-8d20-b9ba6bf0bfeb_!@Set-𝓤p__6649--!P𝕒$$w0ɾ𝓓##.zip.feb\#Set-Up--6649__Pα$$C0Ḏe#!.7z"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:5240

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\!@Set-𝓤p__6649--!P𝕒$$w0ɾ𝓓##.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5564
- C:\Users\Admin\AppData\Local\Temp\7zOCB52C588\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCB52C588\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1940

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb0675cc40,0x7ffb0675cc4c,0x7ffb0675cc58
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1812,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3708,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4540,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,12848254917782230382,17859721437743897883,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:4168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2800

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6c1a3f32b3f51e234bceca165bb5cccd

SHA1
065ea3fdce4c2fe548e5c3c611251fc1c9560438

SHA256
2ac7d6d589c291f868875ffdb392c4887b1a35f6a8fb1689007e630d02b58154

SHA512
4672c6e7ce5cc394eb23707949777388985134876a1a4c4b610bb45ec6a8e86d942b3f1f4bf1cc4859233b783eda1a6d0bf8b5f886fc3d3b86bff0f99c35ab86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7c3ccd9f3bff98da736d59d6e4fb5f72

SHA1
9f419a0f557daf1d196ff68d4d04ffd95044a9e4

SHA256
be2e7954107f5242ec3208115de76f72121463dd6f1c5821f80a52a3ee6f0e78

SHA512
e77f6ab5101fecd3f47bcaab3c87f6da663de65b5d72db2c8eb786be6c8e0c1dd02e6ab0b59508b9ac63cf6c1e3c31c9d6b5285b85c904076e1a6ab17095f74c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2af37202aa5b25a8e4174e19e6b81bf6

SHA1
a91aae2dd423994444cb3cdc8715aa30b0d7bd92

SHA256
eedca3969a7102179b0904834ca3e49d912735f17371930eb518887226f0f2fd

SHA512
12e698f2814c05679875dbd7787ced5f27bb3a8fe605b78d71d1cb72c1ad632841b4516dc32f15f0cdb63fea1a45819b14e27224ed86b79c64daa4c4314b4fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ff54aee09eaede0699a3f7dd9efad8b0

SHA1
6fcc3c8678bcbaf773ca563ae356bd31951489ca

SHA256
1df8fff9d5211fc11c873cf6bc3b1b16856271c6e236145ab6069981cfa03254

SHA512
8f1bd464b0a6204d4937b410e9ee204678fd0305fca5bade203407f69a18ec68346a90e0676aa3298afb8f82752037934d5020afd6d456b3a30ceb966907ad51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
247a8491a6dffc6709c43d2bf6ed9858

SHA1
724c2d662946d12055e77412fd1f3e2da1190351

SHA256
059738ba7af0fc479600c0feacd1ee5898ea5328a355440fb0ce8b96b57b86fb

SHA512
5610367084900122fc3e34820833e89f0fda67898258c362b134ed25b3e0181abb9f8906bfbae5997b88ad61815b274670e51ace4a237375ce29f747c8ec2064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425248739d77afa964e1a893d2ea5a94

SHA1
ae91c41cde6ffe01839ae7e61b193c241d18a513

SHA256
816b3a135562fe43c926caa3e9f2b6271ec5fd7e44d6a05dbc6d7cf9504aa254

SHA512
c4dde9efb7f500f7216d83e9327b03a1905568da3a7346668100792d4309fce8ac2ef1fe6124ae06a4686762b4b41d5ab7a64343c446b60c301c8283d9547c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
e29dfb5b4b6ddc4ed67f1ccdd33e321a

SHA1
3f26d8e4059e2236f2872ea04b74f7e567c7431e

SHA256
b1aadc601294392ef7ab6f28802ab173a597e959bf17ac5b618964905fe43d67

SHA512
ca12f55c061a17dc3de1b7eeded8d71408e09d5bf2f884a89c265be79b0f38b9b7d203a120b3dbd3048a72c61d6462d2c799d290f9fdafce94b90bc42e87d54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
bdb3bb17a4d1c6ce3455bffef250cb60

SHA1
3d5866e420ea674af1bf9d272c9a4890dec63eeb

SHA256
e93751177e198a45c105b571e43634c723dea15a710d484d23958f630e1f74d2

SHA512
25a0d69f9b8fe3e9cd36040c72956cb19e9856904745048b910770bf6788f06b1b2240b36cc5590b96f79b523f8db4417425801f53b6c9df2e366f2419f23502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9ce43d64c567704bff34a9344aa0e28d

SHA1
6e5505482b6e635046c2e9022ae9d5493695bdb7

SHA256
254a727ff8cb8619acde17cff14faa00d04476ea457303761e0d89a60532e54b

SHA512
aaa00f47c5bb255562cecef3e24eefd2c7e8cf598aa807a620a1374e4dfc72f1ba00ff02ac853d93548c4376d97b230d56716315d74bc8d4dbf7cf02ef9d28d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14643710c0fa3d8b435d7cc4e22797ac

SHA1
46f953d41e1fe9402f80d57c2d73eecec382ee4f

SHA256
04abfe0164fbf6d25eb64e7b80ced039d6e776834b7175a9e0d58a4a43fb5712

SHA512
d7bb1b5c7a96c363acc48ea01bc6b749f7955fb10b3096edcb5336702af3824bf130eaa2fefd626867693118f15c13c24b2b4a1597da43f43d7bff1b4ee5c428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
591bc300cdd96b87a69a47ee130cbb46

SHA1
74d3f7169c198d7d2bb959c692d3c489b67b43cf

SHA256
ba49d919e6b252777e7fabaa64d78142aefb9aa846df6ee30fbcb562e136f1e9

SHA512
785310afbe5663c092e82ce701de4402e602ec893356269d61066a2c3ab72b93b9e979955c09318c35268d873279bf95bf3ceaf6412f61fc0c8f529223334aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dc80887a6de72928e2997cbc793fef48

SHA1
796838208ad5b9aa78afdfadf72d9b9e25638286

SHA256
1f7ce5852a223defa33d79e887c06962eb472de96f8012c613f1c6d434f8d164

SHA512
3f85ce24962bbcc33e62cacfbc8beb81d81f5149484a343bfa018d72dcd9402ae5fdc06ee06dfd1aa5044fbb0124d2b058120240b32d17e57cf5c4ed5c2facfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2055f4c56ddd86db3a871abe69d3a7e

SHA1
229d2ef67afd8a610e42a3d0d0d2749a5e9c9ddb

SHA256
e78657980ef4738ff1d641ea192df07bbca63768b4fc56ef909834e7e309321a

SHA512
8effa53926e83dcd63306ff7210d5ef9b6879108703a375c4dc0541f021555b3fe0a2c44b0954dd2b80956955f1dee419c4ebf2aa8dfce0029caf8938deafef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
dcb3a22320d5a33a1efa1b4847ea4bcb

SHA1
a593fdbecd26610c1891961c378941baf8560398

SHA256
33e7feba556087bb8a0abd289b518350b77d05b7a551700fad1955048e59ef85

SHA512
0ebb797fc67e557d0960f80e5c039efc238cb64edc3a7fccc39eb2142ada726ed91498e83abb725017953c3c900943364793c8e6f952a7c2784e27748d83d2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a112cc94b04124075d2b7d36fcc0fba6

SHA1
3a7d7b417aeb2417a636d2d56dc546c44eb31916

SHA256
9b9c7df8267667bf68698492e8ed42b514b278012b7c389ca310677e67da26f3

SHA512
d283dbdefef96640ae9710e20b099656ae33976cfce0834bd65c82ba0ffdcecc77642590062c6a4853c72644fe4019d9d35fcdc250ce2546760870507f4222ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0e9a24240726ecd19e2eedd84635a2f5

SHA1
06529595c02a3e31eefe459d16eb7ed6b1c38531

SHA256
c66afae66d5b62daf536781ee18980f2355374b3faf21077ab8004d8b5c520a6

SHA512
4fd2b055974e8b12ea238095d4910c9a4cbc4c1f1276fe2c45ab75e714b2c489106c3fea013ed7e9a1add95a540c256cbefcac42416650f4159587d6c6ce05d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1312cc5357f1a79bfe559462f8ff55e7

SHA1
b4c19db7479fc4e7b2f98c8596df79bf1701fc4e

SHA256
6570219d3495682eb6dee9ea7d85a7312de4faee64ecbb23de9c3c53838b94e8

SHA512
da963c818f8e0db6b549a39170cd9bfd086bd930a3b46f8fbe7170b1b93aa7d38b8816ac07c939f845249e8be1656e2479898e51b33d64f71928d23ca1b8ee6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8a3a904f2458a67c07d21934da61b178

SHA1
bc4a14afac5882d12f019da8575a4cb855ee2681

SHA256
a0359b9f938cfc2bf59791e3e8525e8ecff3addf5881741f7308aaa25fdb0621

SHA512
dcfa3b09309a344182c4a9e3ddc2ddf9a43f38f8b07362cd074e57ddc7b1eaf5356df2712f3113025608e50a1dcaa7d840b35ca93057c24702efae4e67ee878a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w69s77rt.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
ac591ab3de11e85730f13ef9c250e887

SHA1
cf7b82cb379550e9d00f6891c9ac4bb93ef30926

SHA256
1e8beb0b21a8a75f53ff697897ffa1ceab078f6a29cc79959518674048af0220

SHA512
d8435dbdb8f6cad08436970c771de5fb9e51fa10021aa16955b4172d9ab35ddcf266b5cac6ce511f3acc120a51935f4bd84d6b3cfe1dced7bc28224af3939d4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
090fa5827fdce20413f1ec48bd725f15

SHA1
2e2c68be5559df5efca3d39873fc70a216564cf7

SHA256
bfc0a281f268a9f02411100654ce46c63e994766e59b93a6c79ab7e0fd3bcd01

SHA512
229dd6b5b6bcb54acc03571f3fb7c07600af077f5a8b601573931a7bd2f3b9338dd6a4dbe5fa7c66c93968d6d5c08e9b36a3e1e52ccbf6eac19fa0c5c8004892

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fe6e0a7519454ab8c37cd67690d54bae

SHA1
f30275e52634e730968c2430497d9a6db07fc78d

SHA256
f88811d67c21d820d2d9028a63d80e3efe7657a6a5f590f8b1662f61704fa45f

SHA512
18b047f926bf1c31b330eb7ffa8f898fffaf4e0ca11f898a1ded79e584457329c1f3ca32c24807c041bfb557e54128b6daa5fb03e89c7de219eae55dde2b7750

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
def52a8214d9da670bfe6a38187a6626

SHA1
576255708db20dd93a1638f484e3e66600326cd8

SHA256
7fcc2b4a36aa252dc487fa0fb44a88a1852ce0c0b0e7ef058200c3d48c0d53db

SHA512
a2a0ba41ac34af150586b30fbc969cf45107d99b4f54489d6752594084ded2e8ec8d0632d81f80ef8b790c26c85feaab2a5e50ec0d69ccdb7180dc494cef027a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\pending_pings\55ce88d0-426c-428d-bfe3-0b607845023b

Filesize
26KB

MD5
d06f6e9ba8d618fa77f74bf28c202fc9

SHA1
dc287a66a3f92143184afecb74e6b636d11481d6

SHA256
05666796aeacfb34c6f56f9ed0d876233f016559d52f22a4f6490c4329804f16

SHA512
d2d6f5406ec4e338e702c429e1c53b620f29eab792010994b0a6920cb2bb3d2fa285458fb70fbe2cdbfe60a68a382b362bb7ec8319d99d0a8d68b1c6e640c835

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\pending_pings\6bf84c48-6426-4c4c-a06a-b6da5b4906d3

Filesize
982B

MD5
735a1f582f97ec1be6e881cfc51e1e69

SHA1
07d231143b0dcec1e7c1479007dfa193dd174e71

SHA256
b6d4673ef0cf5c8c97c3a36d6d11e8237b9afd5c97819956d667afdefdcba246

SHA512
420b4ec14bc81f6d1a5a8909348dd9234c4d192830ce7fec1b9d141aa50eaa33b3f2da5dfb8e762faf3de539fab1de77f82fe8e86c8a77ce791a90c7b675ff35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\pending_pings\fdfa6dda-e3f9-412a-9a85-10f0e79fdb5e

Filesize
671B

MD5
1178d7a68fd7e292b1944f4b2da3dea9

SHA1
18b322c705da676471b697878a3ee2fccc9b6ed0

SHA256
5e15d8ef687d8093f9b0ffd646a5b7e5779736e9fed1afd847496d6ad4b9e729

SHA512
35baf70bfec9031ae5a9175184ed12c129f1e989b66ef31d399776419b7a3c319ed175af8bedce7768a66c6c9a5f802b06be9f371d56cb5135a3d7e9abc0e09c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\prefs.js

Filesize
9KB

MD5
29fc56f5c6a7d4edc00284457a9432d3

SHA1
30c242dca92e92bc3fa2f4c22f6a7865c9b85fd7

SHA256
38fb311e57bde4cd5b626943eb7b991f8a7fcdb1c5caa2ffe200f68600e4d335

SHA512
c28664614c678809d9d46c5cb59d7b925777fc201fe434d2d810ffb8296876f56fc0ed5479341cad3179ffe808ec2d8d25c8f6e3a3d6d36d7debd7dc42b18a14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\prefs.js

Filesize
9KB

MD5
25edd70c39bdae84ac88181a7f2141ac

SHA1
7d26f99648b592013b6947601d08b644f8210885

SHA256
4cd011b384ab453d0b2ce6fc4692b993a47de2e8d29cde1165bd366b4e58a7b3

SHA512
faae654f12a9e74f52396ef76b01bdcf584c010d38ab56b1ad2e14791a30ab75a6dd7416eef02ffc52d290f616f00003fc8c2a4157ba03d59c637cf5870ef6d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\sessionCheckpoints.json

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1e53624d19e29a0be5a5e6b4c3d6467c

SHA1
07f7e346b8b33bd89907faf77d6fe4fd03e6bf60

SHA256
edaa74cc96e99bfdb63640777092db16a0a90a8b799647c5022027b233132e8b

SHA512
fc8329658d057e51a99bb8fc13366e604c527f859ae514432a284621428093142b4bf7847779211ad2db1742859ca380a156493c388fb309f8fd854631a5fb75

Download Submit
C:\Users\Admin\Downloads\!@Set-𝓤p__6649--!P𝕒$$w0ɾ𝓓##.zip

Filesize
6.0MB

MD5
6dc886a4b411ff7d8a16509e7550aad0

SHA1
6bf99d297c028de2a914d12af74deb0ca3e38e35

SHA256
694b7fb3ae0832a1463202b29098f8be7df6e658b0a399b2080f3de68df9ead3

SHA512
9abd15caeaea05de2ca9f4fe794ae3a7c5f0b2df71a0589d7905e174f828a62a076e1e1c9d402172c3f711921d620038973dbe72f40570a03bb7833106c1faf9

Download Submit
memory/1016-923-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-921-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-922-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-913-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-915-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-914-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-920-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-919-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1016-918-0x0000025642B10000-0x0000025642B11000-memory.dmp

Filesize
4KB

Download
memory/1036-660-0x0000000002F50000-0x0000000002FAB000-memory.dmp

Filesize
364KB

Download
memory/1940-643-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-639-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-642-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-640-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-631-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-632-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-633-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-637-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-638-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/1940-641-0x000001FBBAE80000-0x000001FBBAE81000-memory.dmp

Filesize
4KB

Download
memory/5412-673-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-674-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-675-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-672-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-671-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-670-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-664-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-665-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download
memory/5412-663-0x0000023542280000-0x0000023542281000-memory.dmp

Filesize
4KB

Download