45f4a2155d2bf3d3bc0ad79bf76626a0bd387ee2700e9662372af1c9fdd765bd

Analysis

max time kernel
156s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dd6dcd242cbf8f13d837c5f7e0e1046.exe
Size

2.9MB
MD5

8dd6dcd242cbf8f13d837c5f7e0e1046
SHA1

152250f4752f3c0a664a984a7246ae8cbf871e48
SHA256

45f4a2155d2bf3d3bc0ad79bf76626a0bd387ee2700e9662372af1c9fdd765bd
SHA512

e17b17d07e99a5b4d719f0e07093031d9fea2bdf0a706d49bad14c8564c7ff268c3369dd7da3e8fa06e5708c818e7fa67f4c2221534066fba148e3960edbef3f
SSDEEP

49152:CAcTH7g5D0izlzzzy6+vo5XFwOJx/9QS1c7IWpn6+ZJE9VlULA8eP3eyIn0zh2C:fD0izlzzz5+vQ++/9XcB6+ZJE9MA8efX

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8dd6dcd242cbf8f13d837c5f7e0e1046.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8dd6dcd242cbf8f13d837c5f7e0e1046.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8dd6dcd242cbf8f13d837c5f7e0e1046.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/916-0-0x0000000000400000-0x0000000000AE3000-memory.dmp	themida
behavioral2/memory/916-2-0x0000000000400000-0x0000000000AE3000-memory.dmp	themida
behavioral2/memory/916-3-0x0000000000400000-0x0000000000AE3000-memory.dmp	themida
behavioral2/memory/916-37-0x0000000000400000-0x0000000000AE3000-memory.dmp	themida
behavioral2/memory/916-262-0x0000000000400000-0x0000000000AE3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8dd6dcd242cbf8f13d837c5f7e0e1046.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	discord.com
39	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
916	8dd6dcd242cbf8f13d837c5f7e0e1046.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3073191680-435865314-2862784915-1000\{ABCE8469-492B-402A-BF48-E53D073A8BF5}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2044	msedge.exe
2044	msedge.exe
3948	msedge.exe
3948	msedge.exe
1764	msedge.exe
1764	msedge.exe
2184	identity_helper.exe
2184	identity_helper.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1432	916	8dd6dcd242cbf8f13d837c5f7e0e1046.exe	84
PID 916 wrote to memory of 1432	916	8dd6dcd242cbf8f13d837c5f7e0e1046.exe	84
PID 1432 wrote to memory of 3948	1432	cmd.exe	85
PID 1432 wrote to memory of 3948	1432	cmd.exe	85
PID 3948 wrote to memory of 3620	3948	msedge.exe	87
PID 3948 wrote to memory of 3620	3948	msedge.exe	87
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 1020	3948	msedge.exe	88
PID 3948 wrote to memory of 2044	3948	msedge.exe	89
PID 3948 wrote to memory of 2044	3948	msedge.exe	89
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90
PID 3948 wrote to memory of 740	3948	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\8dd6dcd242cbf8f13d837c5f7e0e1046.exe
"C:\Users\Admin\AppData\Local\Temp\8dd6dcd242cbf8f13d837c5f7e0e1046.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1884.tmp\1895.tmp\1896.bat C:\Users\Admin\AppData\Local\Temp\8dd6dcd242cbf8f13d837c5f7e0e1046.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dsc.gg/astralcheats
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ffb0e4746f8,0x7ffb0e474708,0x7ffb0e474718
      4⤵
      PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
      4⤵
      PID:740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:1
      4⤵
      PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4916 /prefetch:8
      4⤵
      PID:772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4884 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:1764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
      4⤵
      PID:320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
      4⤵
      PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
      4⤵
      PID:416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:4912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15468766605413534342,1657505291810916602,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3388 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6fb0ab6dc3b8de67cd1c899f238eabea

SHA1
e5983b20a14e859f8a45e1b82bc2dac5c5b47a7c

SHA256
c1ea379e8c8b490e2d2fa44f029e09c1926c133a46a8a5f37c804fd225279c2f

SHA512
0e2c5d091149b1ef3a18aa757671b5b2fd5be5f7d5792e3f9e28c915676e2452d207cc8aa914902d62f47ff261b7d2a19aabbfd5cebfe1c8fc881bd3a0802a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
666B

MD5
2db073e450fe8ab5b777cf0f0c8e99bc

SHA1
d211e64084db511831a556473842dde4595d7171

SHA256
e74d9482c29e1a5a3ee4efd3ddea2acf9aaa48fd4f366dc5bd9ed67ea97c2b7c

SHA512
dab8d7bdb2c035037ea7478f31cc408c37681a9e9baccb49a4e990fb0e91e34717d4bcf441e261248fc66ebff4c34c9dd6f7db2fb33693f7acb51a1f79d25515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
699bd8b19f71a8ce4d17c95dcc558c24

SHA1
0e0c97fd64a5adaaa2de9603c1bc728cf9a19e3c

SHA256
86e4fe8adc5f3e3998e46b4ff297c249f036ad51155e56d33325647e5e028571

SHA512
fd29f571bcd3021c90cf8a071c0902e803301e69833f0aee5240c8cdd5774d4dafb9747b7b6c2ae5f607ec482dcfb3a78f2a7d9e40164e63ba0684df2e08fab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bdb190fd570057ee8e1d546f3b38f67f

SHA1
c7e854d7104bfd650be03e8bcf565898184ce968

SHA256
d63bf7dac09c718a74e296e285c6b9236001100587c7e885065e3941b50205d5

SHA512
ddd9c21489e763f02c01791c7fab6f08f360ec07b207d0cae71e61e45379c9570fbb580396944c18a0e990f3ec13ba16300d770770591beb9a16644cf563f768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0aa51fbcb51e1ea3234d2911c1f4f605

SHA1
121dc808b560814188e6a4773aed72b98baf619f

SHA256
6875ea81cef0c6ed6dfbe3b1cf617ba78763baf3426400504f23c5f1096ab39b

SHA512
55c704d767b0f6b8ed802f063094f702f423efcc74d9966028724c2442b9c9b6d19f0525c5c2b6477b834852b41f7f88df04bd4e2ccd9ef114478f9b66ee3396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8bdd2800451c366d7c50c51b93482ef7

SHA1
74f0bda38358e5b4307ae42318b73334a6413aed

SHA256
1f4ecc4cf4969ea4344ff8363721cf63eb49530f2ca9935625034e4f91d7ce45

SHA512
c1f1150d09c31138366e643a88198129706f2cd2c1d2133875035ceb077f3036b9d574ab7c0214028ca616872306a5cf0e72c664bd35fa9dd541a36edebfdf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
849f2dd72de4bf6fb2b62bf1d360a38b

SHA1
a4dabb7980da6827af91cc882216ca8d4920bec3

SHA256
96be60d012a26734dc4b78cb6480d4d181e3008560ee25262e3ebfb811d02a9c

SHA512
603588b7089ed5e1bf9ade8ed722b18971e81398e6bc9eece9a94612e1c42193cccf20fd20ff135620fe4061c1df6798cda72b19be0fe024513078222cd796df

Download Submit
C:\Users\Admin\AppData\Local\Temp\1884.tmp\1895.tmp\1896.bat

Filesize
197KB

MD5
3800d6fbde8375669d4b601faa672064

SHA1
86b70c01a83ce636274e7d78e6a70a31f166bc07

SHA256
80850ec10c14dc54a5c65348afc7b4a7ef4da92d56d613071c0f25663a0361ba

SHA512
15ae18113fc7ad3ff319304ce884d985d98142f1303c8efde1186fe59057876e9a1737be8638209d5264e672f7dc96f0c2389aebf513a6e8b77ad81cf5f29750

Download Submit
memory/916-0-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/916-37-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/916-262-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/916-3-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/916-2-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/916-1-0x0000000077DB4000-0x0000000077DB6000-memory.dmp

Filesize
8KB

Download