lumma | hxxp://91[.]90[.]195[.]152/Gr5L9Q

Analysis

max time kernel
145s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://91.90.195.152/Gr5L9Q

Score

10^/10

lumma zgrat rat stealer

Malware Config

Extracted

Family

lumma

https://auctiongutollyjkui.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023b16-1499.dat	family_zgrat_v1
behavioral1/memory/4712-1501-0x0000000000450000-0x0000000000836000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0007000000023b16-1499.dat	net_reactor
behavioral1/memory/4712-1501-0x0000000000450000-0x0000000000836000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
4712	Launcher.exe

Loads dropped DLL 1 IoCs

pid	Process
4712	Launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
26	camo.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4712 set thread context of 4936	4712	Launcher.exe	112

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
2792	msedge.exe
2792	msedge.exe
4264	identity_helper.exe
4264	identity_helper.exe
4024	msedge.exe
4024	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1400	7zG.exe
Token: 35	1400	7zG.exe
Token: SeSecurityPrivilege	1400	7zG.exe
Token: SeSecurityPrivilege	1400	7zG.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
1400	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3132	2792	msedge.exe	81
PID 2792 wrote to memory of 3132	2792	msedge.exe	81
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 3400	2792	msedge.exe	82
PID 2792 wrote to memory of 4736	2792	msedge.exe	83
PID 2792 wrote to memory of 4736	2792	msedge.exe	83
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84
PID 2792 wrote to memory of 2280	2792	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://91.90.195.152/Gr5L9Q
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fe9b46f8,0x7ff8fe9b4708,0x7ff8fe9b4718
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12707671185268559733,4185510350569665851,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4960

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Git_Launcher\" -spe -an -ai#7zMap21510:84:7zEvent19188
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1400

C:\Users\Admin\Downloads\Git_Launcher\Launcher.exe
"C:\Users\Admin\Downloads\Git_Launcher\Launcher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
abe3cfa0ba1db9c7e8719aa4b42c334e

SHA1
cf968c3b85142eda5c95fec7c820cf37651b20e5

SHA256
08e0e3c7a758c0eb49e2081352b745a16ad9fdbb48da8b76cb18a026274c4201

SHA512
aa5073c3776c3f0f4f05f689be19bde5481218310de9007c075b54d2bd4a1e751618b7249feff106b9a242b7a42a47198526ede3d8c0ca543d07a906d87f46f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
34a72154ed9746a609b29d25ad8d6469

SHA1
ee1fc6413972b90af4973bc1c158c47011e757b5

SHA256
629a1e55ae58d7e9e13caf2aabc58ad73415b514df679a5e15ac561b1b549f10

SHA512
2789dcc6843a73666ed06d51a7bfb8e92dd7c0a82062dc0d252d883e4c943fc229932fdb1410e9d40d7a7dd965623f3df582640a0952adf7feb7e05a68e37d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a23cfd25e1be84f07988236780e79d45

SHA1
3cfebc7bed36f06adb743c2dabf5f71f8059c227

SHA256
2ce2efc4e00261072d0f96eeec9f5df3fdd4084eb86eb1e584b67aa66c4a7f51

SHA512
0a0b81a49b90f84b9bb198ef7a1c680806eaded9f504f13d03f4f9bdf84e343590fe71f1023fabb6d428b2b4c338e570a5b9f9884ea90609c3d21a7fcd3e70bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3793930ed3fea54c0048eb2b1cdbd60

SHA1
fa904dd10b467f000acaac0d64382950d4a886ce

SHA256
39ce4b5edc3eb8047c7b462feb5905b4f60b26d181e040c7a71cd4d05792656b

SHA512
436a581f8e9fe5ac4f496cbe2a6c02142ff779575dfbb088d76fc331c78876a68754d1126df6ebccc281757a89c04c07d6f45335315e3d098c40405b719637cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77ef3dd76650b16f528395afc05ee496

SHA1
83a9394da2b9e48017939a76b5a3999ff5cffae9

SHA256
4448ffe8b1fa8206b2c8430f8a75153167d99fc7e0b54cd1c935910d1b03d122

SHA512
2e94448267c02bb2bf5e813c0aee215681a8e10ede43487c9f13242c33d1b6a697776dc3f2ae1928bfa21d5d40b154c0677bff59c886cc51165492ae5b6c4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
111b5efd3a581838367fd93cbc2d0dc8

SHA1
8d3dcc90cf58bc14effcc1618cd67ed4f953a90c

SHA256
37ace30a9effa6989722a0f4880b85e7915a167e307136d377ddb994013172b8

SHA512
bb7f49f6b8c1619cd486edbffb48c278cad8246b6afa27fbd4fb362576d5af3178e95869c224ebb2d945e09be9fce97410e264d45c0cb2ca765990b88cf90c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e46b6fdec54288bbcfb727b6d9aec5a

SHA1
42589e8b3342a09cea333603ea1ac7d30b436dcf

SHA256
f5a82889001ca9436b2e876b5c31658c1fd656d301b4dd8caf45b0c1cb34f9d0

SHA512
0f6648deeb35a24c0309773593a95bb8e69ced7013f1c2711aee48069f293c0f0abc6f941ffd3dd23f43c16b67877691956452fe9b626ac942105ed8d40cf4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\Downloads\Git_Launcher.7z

Filesize
42.0MB

MD5
8098453916685d07a08f4f2b8d97f859

SHA1
cff71e1bb89b9e49684671f48c4ca12d10797690

SHA256
828e59b9ce497dc7920c8244a3f664b8e229e9dedf8a5fb80ffff777beebf9e4

SHA512
0532be77ce3d6725e5d27e247aa6b27a6580be57b33617617b9e34476a34b73e35b05d04dbe21278fc435335c960184666e73579f7388a21e00f1a108fc46e81

Download Submit
C:\Users\Admin\Downloads\Git_Launcher\Launcher.exe

Filesize
3.9MB

MD5
303ab0737b1da8872c590cd160912c51

SHA1
9730f371d78a48bf48d26c6f8bf95b0bfbbac329

SHA256
ea936ecf48158aeef5ad85521d42c4588f1815f7175ed37dadb122b08c1eba6b

SHA512
e62ef47b14532dd4393ed2db7267a52072cbb6e2f4fb29d5f0548e709285192aa33d085a9a5aff4c5b20b9bfb1412597c709578cbbe87709455015dceee8a3bf

Download Submit
memory/4712-1501-0x0000000000450000-0x0000000000836000-memory.dmp

Filesize
3.9MB

Download
memory/4712-1502-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/4712-1503-0x00000000052C0000-0x0000000005502000-memory.dmp

Filesize
2.3MB

Download
memory/4712-1504-0x0000000006630000-0x00000000067C2000-memory.dmp

Filesize
1.6MB

Download
memory/4712-1510-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/4936-1511-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4936-1513-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download