Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2023, 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.4MB

  • MD5

    8db8ac6d19be3b52641ea16e209b9ea4

  • SHA1

    602bcfe9d5721eb745984cd78282493123a6cdf4

  • SHA256

    e7dceabe18dfe33021fa25c3b804bc1301e59f76718742b5eb26f3979086c3e0

  • SHA512

    301676215c3591ad203e141add1236f26fe999ee492e545d8b64f2047d11f5d2b5b210f8cf318bfdd1a53a215e02dcd14480e9d3508e021dec296e1dd255ed91

  • SSDEEP

    24576:vFBr1R5kl7kHeIg+jQ0SBpxhtL6VEP5bCKCyzHAc:vX5yQ+IVUv5bCKCV

Score
10/10
dcratdiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat 7 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4700
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4232
      • C:\Users\Admin\AppData\Local\Idle.exe
        "C:\Users\Admin\AppData\Local\Idle.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:532
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13189/
          4⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3940
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde55b46f8,0x7ffde55b4708,0x7ffde55b4718
            5⤵
              PID:3760
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
              5⤵
                PID:4164
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3916
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
                5⤵
                  PID:4108
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
                  5⤵
                    PID:228
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
                    5⤵
                      PID:4700
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
                      5⤵
                        PID:4256
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
                        5⤵
                          PID:2868
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
                          5⤵
                            PID:4240
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                            5⤵
                            • Drops file in Program Files directory
                            PID:3256
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff697a15460,0x7ff697a15470,0x7ff697a15480
                              6⤵
                                PID:3868
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
                              5⤵
                                PID:920
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2132
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
                                5⤵
                                  PID:5056
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
                                  5⤵
                                    PID:548
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                                    5⤵
                                      PID:5460
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
                                      5⤵
                                        PID:5680
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                                        5⤵
                                          PID:6076
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1738474001824457584,5301768498876700658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3304 /prefetch:2
                                          5⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:316
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2412
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2504
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:4040
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\Idle.exe'" /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1384
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:4432
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • DcRat
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1400
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2528

                                  Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Idle.exe
                                    Filesize

                                    1.4MB

                                    MD5

                                    8db8ac6d19be3b52641ea16e209b9ea4

                                    SHA1

                                    602bcfe9d5721eb745984cd78282493123a6cdf4

                                    SHA256

                                    e7dceabe18dfe33021fa25c3b804bc1301e59f76718742b5eb26f3979086c3e0

                                    SHA512

                                    301676215c3591ad203e141add1236f26fe999ee492e545d8b64f2047d11f5d2b5b210f8cf318bfdd1a53a215e02dcd14480e9d3508e021dec296e1dd255ed91

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Idle.exe
                                    Filesize

                                    1.4MB

                                    MD5

                                    8db8ac6d19be3b52641ea16e209b9ea4

                                    SHA1

                                    602bcfe9d5721eb745984cd78282493123a6cdf4

                                    SHA256

                                    e7dceabe18dfe33021fa25c3b804bc1301e59f76718742b5eb26f3979086c3e0

                                    SHA512

                                    301676215c3591ad203e141add1236f26fe999ee492e545d8b64f2047d11f5d2b5b210f8cf318bfdd1a53a215e02dcd14480e9d3508e021dec296e1dd255ed91

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Idle.exe
                                    Filesize

                                    1.4MB

                                    MD5

                                    8db8ac6d19be3b52641ea16e209b9ea4

                                    SHA1

                                    602bcfe9d5721eb745984cd78282493123a6cdf4

                                    SHA256

                                    e7dceabe18dfe33021fa25c3b804bc1301e59f76718742b5eb26f3979086c3e0

                                    SHA512

                                    301676215c3591ad203e141add1236f26fe999ee492e545d8b64f2047d11f5d2b5b210f8cf318bfdd1a53a215e02dcd14480e9d3508e021dec296e1dd255ed91

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp.exe.log
                                    Filesize

                                    1KB

                                    MD5

                                    92630fa7a9a263b35728cf96fc5cbcce

                                    SHA1

                                    7d9dde1da9be4a64a8c203bef2f031aa926dea77

                                    SHA256

                                    5c0e502f283fb3c757cef0d8f22a0aac5fb05e6d619593bd181144f322640404

                                    SHA512

                                    a204babde7ed1f9762dc00b5e31e7a8f39f43af1eeaf874c5405790f482ea9e75752b7f1120ed08ba628f4400a4d72abfa06b761a9a35fdb2207e41a94872e6f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    462f3c1360a4b5e319363930bc4806f6

                                    SHA1

                                    9ba5e43d833c284b89519423f6b6dab5a859a8d0

                                    SHA256

                                    fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

                                    SHA512

                                    5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    d2642245b1e4572ba7d7cd13a0675bb8

                                    SHA1

                                    96456510884685146d3fa2e19202fd2035d64833

                                    SHA256

                                    3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

                                    SHA512

                                    99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                                    Filesize

                                    70KB

                                    MD5

                                    e5e3377341056643b0494b6842c0b544

                                    SHA1

                                    d53fd8e256ec9d5cef8ef5387872e544a2df9108

                                    SHA256

                                    e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                                    SHA512

                                    83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
                                    Filesize

                                    41B

                                    MD5

                                    5af87dfd673ba2115e2fcf5cfdb727ab

                                    SHA1

                                    d5b5bbf396dc291274584ef71f444f420b6056f1

                                    SHA256

                                    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                    SHA512

                                    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
                                    Filesize

                                    2KB

                                    MD5

                                    c85afdcb67c8119db871fed773f1079f

                                    SHA1

                                    e945a96e2c4d434da25d2c8a4e80587a77df6014

                                    SHA256

                                    448f4adbe6581693f330d337863bbcc8bc5d772503e2475749868bec1b92f0ac

                                    SHA512

                                    11a0109fa203b815a626ebae03c126ed19484e56e1809f8f590ee57bf801845af5117b930b2e53e1669702e49e360839cf7fe4ef017a59d5fd86e775244f80bb

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    111B

                                    MD5

                                    285252a2f6327d41eab203dc2f402c67

                                    SHA1

                                    acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                    SHA256

                                    5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                    SHA512

                                    11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    4KB

                                    MD5

                                    ab9e10705107f6136b399b33a2b74805

                                    SHA1

                                    cee4c9e4145d9cb9bf64b73dccff2a9404cf4d35

                                    SHA256

                                    1f9f053051d803e29c5a3365081790e3eb385b16f1d199c92f183171695e64db

                                    SHA512

                                    cf92786c776ab9a597e055060c968025eb427dc7687d389fe10b7f86021a2c8016249704553aa60bc3b1d752a6973590204cfb5d06703b06272137988da5b171

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    e9d84c3ebc4f7199ec839247a787cc05

                                    SHA1

                                    4e2e932299264efc0939fea894b60651c264a49e

                                    SHA256

                                    846ff2273e3deef6c6d416ba03181409a26b525ca4cd496074e0a9ae88b749ab

                                    SHA512

                                    25583df262522feddeb9f1193628c1b659d00577fe72849bf556d87f065594528fc249f2b3608f68bc57477e66dd0a236db897fc20ca0eff580211b567938139

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    29b6e9180b81d6998fcc0ddea44a1f96

                                    SHA1

                                    afda1fee40a827ab9467830fe3e993a449959c4a

                                    SHA256

                                    3067b7177068f372c328ffbad46786f616f905d1e45698535c845223fb9d9434

                                    SHA512

                                    cac435cf7ba59481e0d24d0ff76bcd5b15b92220c165a2ae760533125e7045fd2965381ada77679e16065ed07b49a1b28ec46d6203a0841b8618f5e90887934f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                    Filesize

                                    24KB

                                    MD5

                                    130644a5f79b27202a13879460f2c31a

                                    SHA1

                                    29e213847a017531e849139c7449bce6b39cb2fa

                                    SHA256

                                    1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

                                    SHA512

                                    fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                    Filesize

                                    24KB

                                    MD5

                                    69b72d0a4a2f9cbec95b3201ca02ae2f

                                    SHA1

                                    fcc44ae63c9b0280a10408551a41843f8de72b21

                                    SHA256

                                    996c85ab362c1d17a2a6992e03fdc8a0c0372f81f8fad93970823519973c7b9c

                                    SHA512

                                    08d70d28f1e8d9e539a2c0fbac667a8447ea85ea7b08679139abbbbb1b6250d944468b128ed6b386782f41ca03020e3a82491acb1fe101b09635d606b1a298be

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    9KB

                                    MD5

                                    1205dfb181793595d0e22973ece21973

                                    SHA1

                                    53ab502cfd2b268a781ebd8fec2e0effdaa74ebf

                                    SHA256

                                    c3ffd81fe8b9ee9601d4108c83f88635e6da6d99d6b0731b20ae59b711366e0d

                                    SHA512

                                    00e05d6e198749d9bf0dc8f9a561ae53b37ce70eaeeaf5c4cdcc9487c12eb664014342feb3c05cedb447cd9f2c6d943bc0e8c625e2cbb9e7a94d36c1f0500fcc

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    12KB

                                    MD5

                                    9c74a283b52bed9e18ae0081c91efdda

                                    SHA1

                                    fdc902fb8239181a034b79216db56586d988b102

                                    SHA256

                                    79a703e2e3e3c6d0f3caffd2e3d4596da647b25398dabaf451d1ea9bffb46919

                                    SHA512

                                    cd890ed06f44e3703441fb48c57f9ca4c8347a86b64a894dedf152867423b81186a873f69b01ba067085961eaa2040b3a769974f3c18e8935bce6e9c14085894

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
                                    Filesize

                                    3KB

                                    MD5

                                    6170b30efd8b2c2236f51b20e83b10af

                                    SHA1

                                    b49d929d9051e3eefcb7d6edb0af1c4fede65e8b

                                    SHA256

                                    5eee562aa5d93b2618b6ca5548fc81ef9689eeaf525bfe42308d7f2b0b2b48db

                                    SHA512

                                    849b868149d618840c764116a3d212726c1d1533a59614564a251d7273b114b5db612dda42d347d00fd5eb57e3031f8a04670089a783887976eab5e3e4cff940

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
                                    Filesize

                                    3KB

                                    MD5

                                    ce5e2ea2b218cd50b7832f41efc3126a

                                    SHA1

                                    88e6f5870c7dc1b977ec19fb130b2455e548e808

                                    SHA256

                                    296cbd08cda30deac41c10083dcb70cf963a4517bb3836caf177ca5563e5820b

                                    SHA512

                                    962c77a494da66dc7f0859313d2288707ca11ca048f4f2d8aed9137f9383bb4813c92455e1848d214a4557e99171908efb505906338f5cbc3e7bec1aac8b13d3

                                    Download Submit

                                  • memory/532-153-0x000000001B740000-0x000000001B750000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/532-154-0x000000001B740000-0x000000001B750000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/4232-142-0x000000001AEF0000-0x000000001AF00000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/4700-135-0x0000000001470000-0x00000000014C0000-memory.dmp

                                    Filesize

                                    320KB

                                    Download

                                  • memory/4700-134-0x0000000001280000-0x0000000001290000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/4700-133-0x0000000000970000-0x0000000000ADE000-memory.dmp

                                    Filesize

                                    1.4MB

                                    Download