darkgate | hxxp://193[.]178[.]210[.]226/documents

Analysis

max time kernel
481s
max time network
490s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
15-02-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://193.178.210.226/documents

Score

10^/10

darkgate stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/3396-124-0x0000000006330000-0x000000000668B000-memory.dmp	family_darkgate_v6
behavioral1/memory/3396-125-0x0000000006330000-0x000000000668B000-memory.dmp	family_darkgate_v6

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3396	Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\reader_update.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1384	msedge.exe
1384	msedge.exe
2368	msedge.exe
2368	msedge.exe
4664	msedge.exe
4664	msedge.exe
3296	msedge.exe
3296	msedge.exe
2792	identity_helper.exe
2792	identity_helper.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3096	2368	msedge.exe	46
PID 2368 wrote to memory of 3096	2368	msedge.exe	46
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 468	2368	msedge.exe	82
PID 2368 wrote to memory of 1384	2368	msedge.exe	80
PID 2368 wrote to memory of 1384	2368	msedge.exe	80
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81
PID 2368 wrote to memory of 4856	2368	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://193.178.210.226/documents
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff990e33cb8,0x7ff990e33cc8,0x7ff990e33cd8
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,14383382264860320974,1804727629470032386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3384 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4956

C:\Users\Admin\Downloads\reader_update\reader_update.exe
"C:\Users\Admin\Downloads\reader_update\reader_update.exe"
1⤵
PID:4656
- C:\test\Autoit3.exe
  "C:\test\Autoit3.exe" C:\test\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\49fbe00d-f352-4263-a118-591bc69aa4a7.tmp

Filesize
10KB

MD5
ddde3557bad32bb39521e17c81238bfe

SHA1
cf8324b7f9b9d18762302ed7e06d1389e7e6fabf

SHA256
b5c176912af98d41a1b1fe889c3bf685dce9be518f93c4a2968dc78160a21750

SHA512
9314084ec7120c8d7a82f4eee633947a10183d076971374ea727e4a542ddeb6526dbad24654a88d94eb24761bfa18a7f329144a643de1dcfa0b569ab93c7a72c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd0e8690afb6cc94da2feb0e0443dc81

SHA1
ece9da10c445c54071e1224bb1dc25e8a15b089f

SHA256
14d81c4f4672dd9503f4d137a36a107f1b662cff748a1edb15b53aabcec2074e

SHA512
c04a5aa810668fc5549961c866e18ad6d3e7bc7cd252239713cc0dda77266267f008d3b452d4afb91695a2ff44c30eb727a8ffcbb38ce7e75085461f617ddf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4cb8680a24135ab74ad7756f890bdbf

SHA1
989a6df1e95328b4116cc66611988ea9e8839df0

SHA256
13782a7734273c27385852c39754097b16b0d302903a5a3cbf05f0ea89f2fa50

SHA512
31c9ff075537138714030402aa047d3592dfe4ed27ff83899404176344300e29be42ded8fb0e6641cf80f9163094155c1bfe58ffe7d73fa118c72ab8e32c5ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95c4b195e1a1e4663e60305bc6c43ee6

SHA1
a74200fdb8e7ae174980658350451b5961fea478

SHA256
72405cb37c45cf990df1059be741b81f2433dfb07570a8e60caccff838bc00f7

SHA512
515e4d3aabb47e71e59f93ab98f726c692b8eafc8c5bd5431600eb0fafed9059ce163dcf9acfd406090f11f4be7848284b90c2971919887bb092674c016de5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
27feac564886a314610258118b702964

SHA1
508f27a4a31cd8154d6dd695b9c17c016f320dca

SHA256
88d667e42ae3139727b631f3c2b305a1471e70bd897d161cb39bf2d8809b53a0

SHA512
4b23627e0db57bf9a73b31a389bd7aed2e1853773dea9e20fe802c1eec68232332e5ab7c0d91fdbd4b0b6ffdc7cbf1645acbb71de0a1181fbdcc65e161be8dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
ee749e7f1e4889f30e18bcf8097ffcd5

SHA1
85630218fd3fccc00faaa4ad98595cbeefe0c026

SHA256
69279ff724bf5c30735b79d0ed740d89a9fae97514bf98924e258d6bd1b24c12

SHA512
60d13b2dda4d06b5150ccfa41b2b69eceaba6be608068546ac47cfe7e0a701736d097a5ef8b7614800b55efd273fe480f34f43d75e68e83573169b86e3a19284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
1ddf99be9c9e54c74c5fad61ce5d122d

SHA1
373e59ddf1a91600f135be611c5672c3365f0295

SHA256
9c26a699e0981160619cc8e3dea838f940e3698eceed3db9d836a9187a79c117

SHA512
8159026c72aae72c23e8513d69b03262b79dbaeee132f0f0e93d96b33cd89bbbaf6df17b3cbeacf3284d97075a124bf439ec2028579f40105ab3983449bbeaa2

Download Submit
C:\Users\Admin\Downloads\reader_update.zip

Filesize
496KB

MD5
0bb063d129162e8c93830fdbcf2ba416

SHA1
b94061877b45dda085ef56c03b09c210a6b78a20

SHA256
34141756b9cc1ed73041cea7f5b96ba54098ac91aa11a74ada2a4dcfdf05f574

SHA512
fa31c12a344406a683cd9bb943351eba344ea8c9bdfd38e498ede07809b8d43f73a5cf317fcaefad5beb5f96f76b6be14dc666c071f271025b16ede5a15d05d4

Download Submit
C:\Users\Admin\Downloads\reader_update.zip:Zone.Identifier

Filesize
133B

MD5
7993b62fbe6968dc7553d1bf1de483ce

SHA1
77579cc404d818792c686e0d042768671804c3d0

SHA256
f26aae7f8354d455e481f590038843448de8cd59ce22a779ee05e76dea7f1ba5

SHA512
3802669fef80a3d241cf00aa21ba057dc5fd464533f0bc73c4e2b75aa3dcf8702ce23db2ded19f70f4f1958696df3dfa4b97b94cd5488878cae34d63e832614c

Download Submit
C:\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\test\Autoit3.exe

Filesize
303KB

MD5
66f0844f6a0f4ee20ae20bf000a7ae30

SHA1
08d486625852ed76924de4d4aa81cd9d07b57159

SHA256
55213432598047ccb7d8cd0bd38e038e79f6e8255330b25221b269274061fc96

SHA512
6a6d7837e5b42371f4827e50135e5509252c59e3b2a3835b5a6747f55cac7394e58c775276ea0db52a69472e5c10433bac0312919b194575fb67eddb6920dd19

Download Submit
C:\test\script.a3x

Filesize
473KB

MD5
30a57489d8db61af2b43b3a5e796234d

SHA1
31bda33394b533f33147b374c9108d8762876590

SHA256
b21aca04205df1d33b2218cd986621abbca52070f2f21ed1bc24294f8ab09f31

SHA512
647dbb85c863808aa88ec5c7f15a4fc0ec16f9cfe7fb923778efd1365bda1e0d9a37d9f9950d7eac6a31717da3bf38dbdf41adda68485fe3074d76a2d389b17a

Download Submit
C:\test\test.txt

Filesize
76B

MD5
570fb19bda07644952532d2bee7593d7

SHA1
c434be58213f885cbeaef00d47877490e8ef4c9a

SHA256
7b7228217776234e8c03c7b48cfa51f4284553151158b6bfbacbe3d9f348f25a

SHA512
abd1230cd3c000cd8a4f5100883b46b467c10993cb94fd2ad868b2bd6bdcef8fef7bc3021d38d4f042e9ad8ddfbf6f92d9779325006be936c0992186bc546e66

Download Submit
memory/3396-123-0x0000000004E40000-0x0000000005E10000-memory.dmp

Filesize
15.8MB

Download
memory/3396-124-0x0000000006330000-0x000000000668B000-memory.dmp

Filesize
3.4MB

Download
memory/3396-125-0x0000000006330000-0x000000000668B000-memory.dmp

Filesize
3.4MB

Download