zgrat | 30263649fa9032042bd4f1828fd41e6dc096be790c60c886741b4ae0fb86bd22

Analysis

max time kernel
32s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlackBullet 2.5.1.7z
Size

31.0MB
MD5

d45deae0b8f65d68f197fc989d2c7b5b
SHA1

f3bc5e33990a3536a105019c59715988671caf5c
SHA256

30263649fa9032042bd4f1828fd41e6dc096be790c60c886741b4ae0fb86bd22
SHA512

2fe2efa862434701a478774071034b40652d53445ecd33d33b8c1fc229b8e0c86cce8ac94858d5db8c96fd51974d2d5fc6769e8cba7c665223eef38346b36afe
SSDEEP

786432:RqpSnNVdchlA4UoMeTsblVWmX05cNkPEhgLHLapDYWq:FnNbulUoMeY8Z5pLapDYWq

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2468-477-0x0000000000400000-0x00000000008FA000-memory.dmp	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exeBB2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BB2.exe

Executes dropped EXE 3 IoCs

Processes:

Launcher.exeBB2.exeBlackBullet2.exe

pid process

1684 Launcher.exe
4416 BB2.exe
2468 BlackBullet2.exe

pid	process
1684	Launcher.exe
4416	BB2.exe
2468	BlackBullet2.exe

Loads dropped DLL 21 IoCs

Processes:

BlackBullet2.exe

pid	process
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe
2468	BlackBullet2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Launcher.exeBB2.exeBlackBullet2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BB2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackBullet2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

4388 msedge.exe
4388 msedge.exe
3976 msedge.exe
3976 msedge.exe
4536 identity_helper.exe
4536 identity_helper.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

5008 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

3976 msedge.exe
3976 msedge.exe
3976 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 5008 7zFM.exe
Token: 35 5008 7zFM.exe
Token: SeSecurityPrivilege 5008 7zFM.exe

pid	process
4388	msedge.exe
4388	msedge.exe
3976	msedge.exe
3976	msedge.exe
4536	identity_helper.exe
4536	identity_helper.exe

description	pid	process
Token: SeRestorePrivilege	5008	7zFM.exe
Token: 35	5008	7zFM.exe
Token: SeSecurityPrivilege	5008	7zFM.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

7zFM.exemsedge.exe

pid	process
5008	7zFM.exe
5008	7zFM.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeBB2.execmd.exemsedge.exe

description	pid	process	target process
PID 1684 wrote to memory of 4416	1684	Launcher.exe	BB2.exe
PID 1684 wrote to memory of 4416	1684	Launcher.exe	BB2.exe
PID 1684 wrote to memory of 4416	1684	Launcher.exe	BB2.exe
PID 4416 wrote to memory of 4840	4416	BB2.exe	cmd.exe
PID 4416 wrote to memory of 4840	4416	BB2.exe	cmd.exe
PID 4840 wrote to memory of 3976	4840	cmd.exe	msedge.exe
PID 4840 wrote to memory of 3976	4840	cmd.exe	msedge.exe
PID 3976 wrote to memory of 3804	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 3804	3976	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2468	4840	cmd.exe	BlackBullet2.exe
PID 4840 wrote to memory of 2468	4840	cmd.exe	BlackBullet2.exe
PID 4840 wrote to memory of 2468	4840	cmd.exe	BlackBullet2.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4724	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4388	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 4388	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe
PID 3976 wrote to memory of 1808	3976	msedge.exe	msedge.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BlackBullet 2.5.1.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

C:\Users\Admin\Desktop\New folder\Launcher.exe
"C:\Users\Admin\Desktop\New folder\Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\Desktop\New folder\Data\BB2.exe
  "C:\Users\Admin\Desktop\New folder\Data\BB2.exe" {Arguments If Needed}
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E60A.tmp\E60B.tmp\E60C.bat "C:\Users\Admin\Desktop\New folder\Data\BB2.exe" {Arguments If Needed}"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://crackingparadox.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcba7846f8,0x7ffcba784708,0x7ffcba784718
        5⤵
        
        PID:3804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        5⤵
        
        PID:4724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
        5⤵
        
        PID:1808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:2540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:3040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        5⤵
        
        PID:4192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
        5⤵
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11837306037279471926,5441304086606691969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
  - - C:\Users\Admin\Desktop\New folder\Data\BlackBullet2.exe
      BlackBullet2.exe FL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
903290203da4db84ca56a31b64478417

SHA1
2e55269f0253888ae3e1c9e29b025554575b4bc4

SHA256
c6dc30f67d2be0901866d1a624a6d252f92db2569b014970c4a037b50e1101a1

SHA512
e721a0bcf9104bfea100f4f010cacb038ea22a8fcfd40073e91c1992fdde4408ae8affd439048c10d9b75b13ee97c7d303c2810b1a974d90b30d8bf034708191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
93b09e9c09943ebcf218e98ee4aef8f9

SHA1
f67a77e26e5ca60e295296f87fd5cbb540effdc4

SHA256
487a1d31b7353b07e68917c024bd6f86d221650fa7bf2b15db7f708dfc719546

SHA512
ff77fd3e506fa698a52bcceb75b72dfde4e298d1de64ca71e71f8c804234a8480c7b97a316cc50ec6ae27d57b05331894efabb578e4119b589fd0845ee47e8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09916e190d73fbebfb320c6205f1ec40

SHA1
5a5f977ee43a5b6ceb9067a5bcd04b728592b364

SHA256
4d59d1b9519cfc786cde4b924fa786b55ed1ee92e5091f5a0ad5f7275236d943

SHA512
4486db735f3c8c7a3bec2fc9969ea0ac270744388bd4a036622312c4e474c1fcffdef7f369ee884f0df6e8398a8a7bc3690542a77abd9a6d96319498503e87a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ea49f22ec2ad7ba5f18560338e0bf57

SHA1
246315703ac91499c9c97f3a1ba13819d8a1c589

SHA256
5764e81cec4f0c94aeb097d1da167ef7fa894642e7babea0bb96b360de1da2e7

SHA512
9168f9266eb832cbceefada34eb702c8f181465cca1f4e4b8e279d7209117f25b79699fdd8b95c82b471ad20f3c155180efd07c8c78a9d6506e886bda2a68cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
129e4f6252b6ac0e65e416acf8012645

SHA1
3c739a93dd4ac21c40e61f914cdb74a49822b5ae

SHA256
aef45060c09fff5c2aabb079427915cb618688217687e0412205c15ad8767b85

SHA512
7959882673d46c9e0ce0aec736891947114d1ce250bf6cb60d1ed5cbdad953a2ad700e1bfb6e78db7b9b810e078ad5c5d5a5403ede570c7a70d25e5b6c49630b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E60A.tmp\E60B.tmp\E60C.bat

Filesize
71B

MD5
2a0d73d98b428296a6e4dd75d20356c8

SHA1
48fb89a2afb456f31d75e23e6a7df0fda4ef3e2f

SHA256
36afdc556332525b8de95bfb7b83e266dc9d90746084cc6ded0f74a96cba26b2

SHA512
6f2bd412360157d1b7edbe1501adb978fb6f47aae0c7161c40c608c1317ac8e6ade80aecaf6297ca2e6fdea04f490954b7a91d5a6df03ab6e00f70ff78307697

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbEFC1.tmp

Filesize
1KB

MD5
ffce54e20826d374ab5e2ee01b4cb247

SHA1
ec13d3732150aec775d71d9d3d97f25995a1eb88

SHA256
d5aada4701f8cf3cb22fa5092c98e784741dbf84d9905daf0928b9270a0ec11a

SHA512
266673cc361747987ac5ca1b3a0c136f8812405a4646b5be7df18639ee6b893eb26429a41c2fa0b7ddb250289af86fbb7893dce4ddf5b37cd22fa7aace2e2d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbEFE2.tmp

Filesize
1KB

MD5
0ce4834f5cba48c98b0956c0de6d9169

SHA1
53e862ef50a712a43ebb11edbabe85edbc9011b9

SHA256
cd27cf9a36d0f791925d581b4f107536428026e5ec67ac8ec064cfb855d1c135

SHA512
3be3497f811339c6ce2f3d16d43e97d7b83da40ae1c54b6ac53e7dee23d71439318111a7967e16131eb46b62aae84ce54ee5a819cdeece6a9576df5595b3dbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbEFF4.tmp

Filesize
1KB

MD5
992f3b6741f74aeba23a38aa61665501

SHA1
ea1dc14e3dbfd10e5b78e0c5c66b99c90bff507d

SHA256
6acbecfd4644be3ab04625dc517d812abdd0437d68980d55dcbda319f6e184c1

SHA512
32c6151a270aa32317fc2878ca216fd512379b48238448da383e68168e527265d234d7e63ae3603fb09929282b62c5fae0539222814f25d3e0268bac0b6c6d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbF1C9.tmp

Filesize
1KB

MD5
dd6e920cae4262f4116706722b5c2d2b

SHA1
823c70ddfd94e4108001a2da7720aaa0aa721a39

SHA256
cce540819490859a84ba53c71b3a9e57978c7c1ef00114b24712037e0e5080a1

SHA512
30ef35e89e3150e9309519d14a270a36822b58a30d784ae1377a66b4655b428eb935c354d0fd4768e09d0115900ff1138795feddbffd98315ef2922cf44cd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbF26B.tmp

Filesize
1KB

MD5
0b8d921d6a673285be78a679f3d451f5

SHA1
5fd3370b6ee09ffeffaf1f2d1b472fe1ab2e44e3

SHA256
44914a1ee2dd069afc47dbc8e836adaeab915b6a652e25475e52e598b91a8b54

SHA512
eb3bde14a1c3dc5670f8d92b2c6f055b1b3408f89dafd22aea55f42d361ffdd4a1c19490f52d2cce2726ba2812026e493591dbebe9ad1a52ecc749749824af5b

Download Submit
C:\Users\Admin\Desktop\New folder\Data\BB2.exe

Filesize
247KB

MD5
0f71306382369d8d08598bee5403bcb5

SHA1
b4530c2d598c9d48d18e53cb26b87a07ab4108a1

SHA256
dc0f37fdd2414feba7fc57d18fe8407cb4d891e139a462f75758ef97f61694cd

SHA512
07644af616316c155ae20220aafe83d2a6b911d73f9af7bd3a3ffbe8a4517d0cb5c41bbbca32d5d0e0772ad54bdeed44705e1c903af450724dccfb4e2f3e7fc5

Download Submit
C:\Users\Admin\Desktop\New folder\Data\BlackBullet2.exe

Filesize
6.6MB

MD5
65b716d641a1a0f1d4652d4201bde84e

SHA1
39b49bb45ad3204daf92fa9d5545a2e8a5f083d9

SHA256
934d3d466a25472f639188ea088a2c01198bdcbe418841cfa65b85cf97f100d5

SHA512
95f37ba7612650b331802cf7a14dfcc544f7d18d479067e156652fd428ce72fe6cdfd41f22dd5a8c81828e182156b34f85f15f31bb587b18633a9ae97bfb75e7

Download Submit
C:\Users\Admin\Desktop\New folder\Data\BlackBullet2.exe.config

Filesize
858B

MD5
919236f98bca660111b7eb3703c387bc

SHA1
eed03be30f98b6cce546389d96bf8a9ed0224e93

SHA256
7f05f68f739ad4f463f831ef81d0bbf954dc7e29ef86cc87bf041e1f6cec29dc

SHA512
5437eccedcc2e0a3b2a57144dba3ebcac3eac09fa0004c5abca141e5e0def5686a75e85437bb697c1f907d53feac4bc4265d1cbcbeff92288e90a82b0b6f3744

Download Submit
C:\Users\Admin\Desktop\New folder\Data\DB\BlackBullet.db

Filesize
40KB

MD5
43828a37b18cef90e0e0fdb3ccba7e20

SHA1
5213a1752046a5ab0887630a05396e2485a03dd8

SHA256
06fa45959ff1cad0d429c4fabd2393ee04bdcca6baeb92abbecf10df963ea4f6

SHA512
02fe7695c16c56edb11c76a236dc5c9ec11f34ffc9a0370bee4c2f0f8e988591ac153e5d890169452727f39dc58f542bfd9d39f82e9d5fed76f750c11deff7f0

Download Submit
C:\Users\Admin\Desktop\New folder\Data\Settings\License.txt

Filesize
39B

MD5
9dda87fa514b74a1ddf0fe63bbfbae7c

SHA1
93348e0dbeb1626af26017438a3bffc6c3a538a2

SHA256
3f287a6cce86d002f49f7f05c08079fe837abb41b091102db3a92403e2a81ce2

SHA512
340fab019cc3ca60060660645f0d33d6fc58eb189ba21e4157d370bb61f60e158243cc64c37b103a5326920724e7886b3f64313e72357928a36ee243db234cc9

Download Submit
C:\Users\Admin\Desktop\New folder\Data\Settings\Settings.ini

Filesize
2KB

MD5
b6a71a4d4e230a0ed69398a22c89ce22

SHA1
c1c87da8111c4faeab63acd0297691cf3cdad462

SHA256
d759e002924cad832074dd4cdd9c8e7ba666eb2a7bca414b7c07f567c9660dd8

SHA512
de2cb44bc9b1de82c3daecd7d3dbeb6de9158a6ced6a0c595406615cb390bfa948872d3d9a463b0b46a2f3d8d4387999de8a844b122ae893c95a4a2b1454ae7a

Download Submit
C:\Users\Admin\Desktop\New folder\Data\bin\Extreme.Net.dll

Filesize
108KB

MD5
36da665396a78b0d47fb3744503c92da

SHA1
e7e75d1344a298ff830edd350a7b5e1ec97c4862

SHA256
5ab95c5660476bf562509859cae8fac1c8509bc6410076c57b4641b4e9b48b00

SHA512
074346db1eab9a1981a866ba9e909a38aac689424c655ee5a40a43f1978bf39bf2edba967d41a6beb2f878bbf182575da9444d18988f93f459f1ffd1906c4be4

Download Submit
C:\Users\Admin\Desktop\New folder\Data\bin\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\Desktop\New folder\Data\bin\System.Data.SQLite.dll

Filesize
337KB

MD5
66a3d16000dae771fb5cd00d33344e8d

SHA1
d33a5ea4f0241001240332c6ba663405d26e6672

SHA256
54b105ff8ad7aac149e4f42615a37a063fec7ce9b3edd2cd6cdec1eb6c57e2c0

SHA512
9ee8213a39aebf99a2068b3fc23b228b93a8e76061ae6011e8efd11451eaac2e992ae3537a9714ed046f4fd8e23b9ac01ec56e47e8fd1c402f5f88b91f8bc44a

Download Submit
C:\Users\Admin\Desktop\New folder\Data\bin\System.Data.SQLite.dll.config

Filesize
671B

MD5
384dd2c6f11ffbebc4a8fd0f7d255c9e

SHA1
38e352300655ddd8eeccf45c1dafd5b8616f6cd2

SHA256
8a4a9908d893122d427354aa6e5973cae4165d175db3e3c48f7f37730c04d997

SHA512
1e71ad56475708be6cb24fb652853f4a815999928aa249e3dbdc50d124169ce19aec6d54935f9f1853a2cf7d4e65854a05582c3c870a1a03c7c68f81bbdc2d46

Download Submit
C:\Users\Admin\Desktop\New folder\Data\bin\Xceed.Wpf.Toolkit.dll

Filesize
1.1MB

MD5
5349b07f9c0c63cf66486e37bc3c4b0d

SHA1
af3482030d701a013d145406c4f969eb61341f71

SHA256
711001125ff67ce9c8041beedaac3fa6441d64f3b202db53e34010cd42e16ed0

SHA512
814841f4c918638abcc4b95fd76c7fd38aad1015cd532b713eac4975d6772ec865291d7ffb4c5c31fe66014ce504529e755ab4badbaffdad8d28482f8de6d951

Download Submit
C:\Users\Admin\Desktop\New folder\Data\x86\SQLite.Interop.dll

Filesize
1.2MB

MD5
12e5757b49eb50dde2c91aeab1b65c7f

SHA1
7fa3a5d4bd0ae92d0789275ff971c3eba1ea0d8c

SHA256
2f629ea1c9790ca1ffdcf790a845ad5a0bc47b66b4f5d3ce09fbe26ceb19e3e2

SHA512
e8344f553d45642bbb1a32863dd0948bbbbd64e047f6f4d4945b165e9475456acb545f42e0d484cf356c1584f6a736444cf30a63e81664c6ae297ea734a802e8

Download Submit
C:\Users\Admin\Desktop\New folder\Launcher.exe

Filesize
210KB

MD5
a10f7bd626f4316948c67df572d53415

SHA1
289a3762a1df17dca68c96836fe033ee87445ae4

SHA256
a34f7e96926f234a3ebe13f3daf612e7a514370a254b51ac05ecc1c1763a3232

SHA512
70d4989be53f4b5f63d83113846af5407926265ec5594fd2cc19b77f0eb456d4a7d4afe8334c96f717cc49eeeac5399e20d4939507876c2472e61337625bd49a

Download Submit
\??\pipe\LOCAL\crashpad_3976_PEQNPFTCYGHEKJRQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1684-459-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/1684-458-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1684-457-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/1684-456-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/1684-455-0x00000000005A0000-0x00000000005DA000-memory.dmp

Filesize
232KB

Download
memory/1684-454-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1684-464-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2468-530-0x00000000062B0000-0x0000000006328000-memory.dmp

Filesize
480KB

Download
memory/2468-564-0x000000000A130000-0x000000000A138000-memory.dmp

Filesize
32KB

Download
memory/2468-565-0x000000000A420000-0x000000000A428000-memory.dmp

Filesize
32KB

Download
memory/2468-566-0x000000000A370000-0x000000000A3A8000-memory.dmp

Filesize
224KB

Download
memory/2468-567-0x000000000A3C0000-0x000000000A3CE000-memory.dmp

Filesize
56KB

Download
memory/2468-574-0x00000000030E0000-0x0000000003100000-memory.dmp

Filesize
128KB

Download
memory/2468-558-0x000000000A110000-0x000000000A118000-memory.dmp

Filesize
32KB

Download
memory/2468-539-0x0000000006230000-0x00000000062A8000-memory.dmp

Filesize
480KB

Download
memory/2468-550-0x0000000006230000-0x0000000006270000-memory.dmp

Filesize
256KB

Download
memory/2468-552-0x0000000006000000-0x0000000006008000-memory.dmp

Filesize
32KB

Download
memory/2468-553-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2468-551-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/2468-684-0x0000000005E20000-0x0000000005E8A000-memory.dmp

Filesize
424KB

Download
memory/2468-683-0x00000000030E0000-0x00000000030FC000-memory.dmp

Filesize
112KB

Download
memory/2468-540-0x0000000006230000-0x00000000062A8000-memory.dmp

Filesize
480KB

Download
memory/2468-689-0x000000000A290000-0x000000000A2B2000-memory.dmp

Filesize
136KB

Download
memory/2468-541-0x0000000006230000-0x00000000062A8000-memory.dmp

Filesize
480KB

Download
memory/2468-693-0x000000000A2C0000-0x000000000A31A000-memory.dmp

Filesize
360KB

Download
memory/2468-694-0x000000000C0E0000-0x000000000C434000-memory.dmp

Filesize
3.3MB

Download
memory/2468-695-0x000000000C440000-0x000000000C48C000-memory.dmp

Filesize
304KB

Download
memory/2468-510-0x0000000005E90000-0x0000000005EFA000-memory.dmp

Filesize
424KB

Download
memory/2468-501-0x00000000030E0000-0x00000000030FC000-memory.dmp

Filesize
112KB

Download
memory/2468-499-0x00000000056C0000-0x00000000056DC000-memory.dmp

Filesize
112KB

Download
memory/2468-700-0x000000000D0E0000-0x000000000D11C000-memory.dmp

Filesize
240KB

Download
memory/2468-701-0x000000000D120000-0x000000000D141000-memory.dmp

Filesize
132KB

Download
memory/2468-486-0x00000000055C0000-0x00000000055E0000-memory.dmp

Filesize
128KB

Download
memory/2468-477-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2468-705-0x000000000D1C0000-0x000000000D268000-memory.dmp

Filesize
672KB

Download
memory/2468-707-0x000000000D290000-0x000000000D2B2000-memory.dmp

Filesize
136KB

Download
memory/2468-470-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2468-711-0x000000000D340000-0x000000000D454000-memory.dmp

Filesize
1.1MB

Download
memory/2468-712-0x0000000006230000-0x00000000062A8000-memory.dmp

Filesize
480KB

Download
memory/2468-722-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download