blackmoon | a456f1d4fa5aa51e8605e6fcb43579c41593c6ae7eb110c5bbdddd071b3ab1f8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

salikhack.exe
Size

6.8MB
MD5

92290d3c06e414319fb42fc0f7d981d0
SHA1

6396501c4acd9e06a44f75f136528535e8003dce
SHA256

3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43
SHA512

2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294
SSDEEP

196608:xclQtVzCfE9FQs1W/ojxuBxn86iiYY1BC:x5VOfE9FQUWQjxy8T5

Score

10^/10

blackmoon poullight banker spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sakl.exe	family_blackmoon
behavioral2/memory/848-23-0x0000000000400000-0x0000000000ADE000-memory.dmp	family_blackmoon

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
behavioral2/memory/3720-12-0x000001F4E16A0000-0x000001F4E16C0000-memory.dmp	family_poullight
behavioral2/memory/848-23-0x0000000000400000-0x0000000000ADE000-memory.dmp	family_poullight

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

salikhack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	salikhack.exe

Executes dropped EXE 3 IoCs

Processes:

build.exesakl.exeasx0.dll

pid process

3720 build.exe
1712 sakl.exe
4540 asx0.dll
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

asx0.dll

pid process

4540 asx0.dll
4540 asx0.dll
4540 asx0.dll
4540 asx0.dll
4540 asx0.dll
4540 asx0.dll
4540 asx0.dll
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

30388 4540 WerFault.exe asx0.dll

pid	process
3720	build.exe
1712	sakl.exe
4540	asx0.dll

pid	process
4540	asx0.dll
4540	asx0.dll
4540	asx0.dll
4540	asx0.dll
4540	asx0.dll
4540	asx0.dll
4540	asx0.dll

pid	pid_target	process	target process
30388	4540	WerFault.exe	asx0.dll

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeasx0.dll

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	asx0.dll
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	asx0.dll
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exebuild.exesakl.exe

pid	process
4828	msedge.exe
4828	msedge.exe
1484	msedge.exe
1484	msedge.exe
3720	build.exe
3720	build.exe
3720	build.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe
1712	sakl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1484 msedge.exe
1484 msedge.exe
1484 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 3720 build.exe

description	pid	process
Token: SeDebugPrivilege	3720	build.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

sakl.exeasx0.dll

pid process

1712 sakl.exe
1712 sakl.exe
4540 asx0.dll
4540 asx0.dll

pid	process
1712	sakl.exe
1712	sakl.exe
4540	asx0.dll
4540	asx0.dll

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

salikhack.exesakl.exemsedge.exe

description	pid	process	target process
PID 848 wrote to memory of 3720	848	salikhack.exe	build.exe
PID 848 wrote to memory of 3720	848	salikhack.exe	build.exe
PID 848 wrote to memory of 1712	848	salikhack.exe	sakl.exe
PID 848 wrote to memory of 1712	848	salikhack.exe	sakl.exe
PID 848 wrote to memory of 1712	848	salikhack.exe	sakl.exe
PID 1712 wrote to memory of 1484	1712	sakl.exe	msedge.exe
PID 1712 wrote to memory of 1484	1712	sakl.exe	msedge.exe
PID 1484 wrote to memory of 4708	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4708	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 620	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4828	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4828	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4692	1484	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\salikhack.exe
"C:\Users\Admin\AppData\Local\Temp\salikhack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Users\Admin\AppData\Local\Temp\sakl.exe
"C:\Users\Admin\AppData\Local\Temp\sakl.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeb6946f8,0x7fffeb694708,0x7fffeb694718
4⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
4⤵
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
4⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
4⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
4⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
4⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:2
4⤵
PID:20140

C:\Users\Admin\AppData\Local\Temp\asx0.dll
"C:\Users\Admin\AppData\Local\Temp\asx0.dll"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 704
4⤵
- Program crash
PID:30388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
1⤵
PID:30372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1f844065ea3fbf9fb74a04a49f5374ed

SHA1
83ff83cd8d082e5ff12547d1a44d0e16d4e79998

SHA256
6a05f711d6d9ef6359bac69e9e70b239af366446cb909b135132992fadff9b90

SHA512
bb86383dd92a3f7f2da026b64677b3f257cf3c4494475593ffb0ef1bde9bf41e4918f56951ffb77efdfb3649488771db47fedc24c80609b0c03eac5aceac1332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c15c03419cb5895a6c842e99a443594e

SHA1
4f90fefbe0015b8e8771c10d0b03fefed85c33c2

SHA256
2803b16941549cbb545dc68b89d05d5a70ecf518742418d3de8c32070738e318

SHA512
3179e7593323d817da70d4c2dc442918b11512a8f62d17fc4174c2bf007d5a3082cdeb7746471306077438511fa59344839a00855e2afe99d90abc6051c4e82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
119457bb2472ce13e6fe6951cb272982

SHA1
a22d33bad59146c17374aa6198db8b32f77028c4

SHA256
22af5f7ad0ab53922fef6615330875709fba3262f4ec436439af8b82e2508055

SHA512
d7376578784280da4d3b740418f5ba4dfa39585aff05e1f62b0d5bf6cf23ac840e724bdfda8ac85fa9adb3875e685a6c003887dc05a6567f71b7c47fa4766e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\9om8k1t69k1gt-27z37ki
Filesize
100KB

MD5
bfbf67a3ad4b5c0f7804f85d1f449a80

SHA1
110780a35d61de23b5fcb7b9e75a3ed07deb7838

SHA256
2a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e

SHA512
77bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\asx0.dll
Filesize
5.9MB

MD5
8d7cfce5a4716b167952e569a04ad5dc

SHA1
def4fa116d274403626ba33edc2604137689842f

SHA256
87979231d7f6bc01754071903035f784ffcb0a246a926b1d0b1e10493241907e

SHA512
d27123dacedca9933b484fcb432a411bb66ae5073fc6b3e2e178a5f554b69d84cf069bdddf35b83921670506bc2c0764e60310c6ca64adc89dd68e9fa90be26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
100KB

MD5
446afe801f9738ee2bfcb6791bdcf801

SHA1
fc43f35cd105e8954d77d8f7a48234e2576fe98e

SHA256
ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc

SHA512
f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sakl.exe
Filesize
6.7MB

MD5
06dcffb60e21650a7853af9a88b9a04e

SHA1
0021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f

SHA256
f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe

SHA512
2b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6

Download Submit
\??\pipe\LOCAL\crashpad_1484_NFVHQBUNVZYMKTOU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/848-23-0x0000000000400000-0x0000000000ADE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-26-0x00000000026D0000-0x00000000027DD000-memory.dmp

Filesize
1.1MB

Download
memory/1712-13229-0x00000000026D0000-0x00000000027DD000-memory.dmp

Filesize
1.1MB

Download
memory/3720-13-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

Filesize
8KB

Download
memory/3720-79-0x000001F4FC9C0000-0x000001F4FCB82000-memory.dmp

Filesize
1.8MB

Download
memory/3720-82-0x000001F4FD0C0000-0x000001F4FD5E8000-memory.dmp

Filesize
5.2MB

Download
memory/3720-25-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/3720-97-0x000001F4FC630000-0x000001F4FC642000-memory.dmp

Filesize
72KB

Download
memory/3720-12-0x000001F4E16A0000-0x000001F4E16C0000-memory.dmp

Filesize
128KB

Download
memory/3720-13231-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/3720-13230-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

Filesize
8KB

Download
memory/3720-52-0x000001F4E3360000-0x000001F4E336A000-memory.dmp

Filesize
40KB

Download
memory/4540-4022-0x0000000076F60000-0x0000000077100000-memory.dmp

Filesize
1.6MB

Download
memory/4540-13219-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4540-13218-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4540-13217-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4540-13216-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4540-13223-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4540-13221-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4540-6031-0x00000000757A0000-0x000000007581A000-memory.dmp

Filesize
488KB

Download
memory/4540-148-0x00000000764E0000-0x00000000766F5000-memory.dmp

Filesize
2.1MB

Download
memory/4540-147-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download