zgrat | 30263649fa9032042bd4f1828fd41e6dc096be790c60c886741b4ae0fb86bd22

Analysis

max time kernel
146s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Data/BB2.exe
Size

247KB
MD5

0f71306382369d8d08598bee5403bcb5
SHA1

b4530c2d598c9d48d18e53cb26b87a07ab4108a1
SHA256

dc0f37fdd2414feba7fc57d18fe8407cb4d891e139a462f75758ef97f61694cd
SHA512

07644af616316c155ae20220aafe83d2a6b911d73f9af7bd3a3ffbe8a4517d0cb5c41bbbca32d5d0e0772ad54bdeed44705e1c903af450724dccfb4e2f3e7fc5
SSDEEP

1536:f7f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIfPgIxYnPf8O9:TliUPXC8k1nJrX+fNTBf7i9

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral4/memory/2936-9-0x0000000000400000-0x00000000008FA000-memory.dmp	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BB2.exe

Loads dropped DLL 12 IoCs

pid	Process
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe
2936	BlackBullet2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BB2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackBullet2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
2460	msedge.exe
2460	msedge.exe
2056	identity_helper.exe
2056	identity_helper.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 2948	3956	BB2.exe	85
PID 3956 wrote to memory of 2948	3956	BB2.exe	85
PID 2948 wrote to memory of 2460	2948	cmd.exe	88
PID 2948 wrote to memory of 2460	2948	cmd.exe	88
PID 2460 wrote to memory of 5024	2460	msedge.exe	90
PID 2460 wrote to memory of 5024	2460	msedge.exe	90
PID 2948 wrote to memory of 2936	2948	cmd.exe	89
PID 2948 wrote to memory of 2936	2948	cmd.exe	89
PID 2948 wrote to memory of 2936	2948	cmd.exe	89
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 1180	2460	msedge.exe	91
PID 2460 wrote to memory of 432	2460	msedge.exe	92
PID 2460 wrote to memory of 432	2460	msedge.exe	92
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93
PID 2460 wrote to memory of 2884	2460	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\Data\BB2.exe
"C:\Users\Admin\AppData\Local\Temp\Data\BB2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C52.tmp\8C53.tmp\8C54.bat C:\Users\Admin\AppData\Local\Temp\Data\BB2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://crackingparadox.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5be246f8,0x7ffb5be24708,0x7ffb5be24718
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:1180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
      4⤵
      PID:2884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:3804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
      4⤵
      PID:2640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
      4⤵
      PID:1900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
      4⤵
      PID:3600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6668872463115208328,9545035135951087509,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6100
- - C:\Users\Admin\AppData\Local\Temp\Data\BlackBullet2.exe
    BlackBullet2.exe FL
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
333636869ef4b6cca3598866d612af82

SHA1
60e7c0f571aab4594d1f5b445474f89a4c48c74c

SHA256
597b25a0ed34f1fc8a3d2131904f78307e7fc6828d32f8ad55110d005a3e96ff

SHA512
92ceab1534704f42b74a6bb342ffa3e6aed6f65bfe48a2aa85deb76927f555e438e667bff1d6a470870d5233da7d7d99fe7e339d0d796e5003b6c4ba5e49e435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1005B

MD5
2c777e3a2d3e1dadff1b5107bebd3794

SHA1
0234f5157b7ee2db9b2068f73d7aa9254cb31919

SHA256
4f475ee3e9305097f8a035fc22c37b18eb1f23e74f4213e675d72f1e0106b6da

SHA512
6d651eeeb650695b039b6943965780af5ac58caf3b882aa5ab00b368dde23f94ffc74f338c07e6f8688cfaecf6f4db9cfe37029fe453f54c4977cf8bf2c5c097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7c79ffaeabcff1e1d82ed8b86df7155

SHA1
202c5a225d6e0b254ece3b9f2fab03927da15b9b

SHA256
70111ddea6319de208af376f76c32f681266b3e874cbe89bd4a32ebf3ef923e3

SHA512
cc10aa5514a60f36d6a1226ab20a723e564f41056757c430e549069adf703c1f884266bfc545c4f1e5d24cc41092e7d4e9846714793a14232215844edd1f1e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
026c3499ac89dd04c033fbef3113994d

SHA1
2f3db5be1a1a589b15b298ae9b4a6043f8920757

SHA256
213e601cc89891ed93ea039c3ea1ee6789324dc0aa791eb9ee80c907949c380f

SHA512
cbbcbe96078185e93ab5259653ece6bcd0ba526b0c23e757127eba635d2f2d3084dfa3f787320ca76293ac29ab3a4d64019bc4bc8832d4544d6a2c17a9a604e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a80bc396f1e5637525e9dd93cc56da7

SHA1
cac3964f44f31ec0161bb38f6c26771ecaaf1fb5

SHA256
9979b19fc1b680603eacf0c145a7b60ec311f51389f6e9be535dab1599bd7518

SHA512
93861d366c5d734fe3cd787019859c7b4410bafe2fc7ded060d3d4bd596ed8579cdacc8bbaf1dac40fb470e344ed248e932fda60bd10f79ba6931c84ded13dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C52.tmp\8C53.tmp\8C54.bat

Filesize
71B

MD5
2a0d73d98b428296a6e4dd75d20356c8

SHA1
48fb89a2afb456f31d75e23e6a7df0fda4ef3e2f

SHA256
36afdc556332525b8de95bfb7b83e266dc9d90746084cc6ded0f74a96cba26b2

SHA512
6f2bd412360157d1b7edbe1501adb978fb6f47aae0c7161c40c608c1317ac8e6ade80aecaf6297ca2e6fdea04f490954b7a91d5a6df03ab6e00f70ff78307697

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9453.tmp

Filesize
1KB

MD5
ffce54e20826d374ab5e2ee01b4cb247

SHA1
ec13d3732150aec775d71d9d3d97f25995a1eb88

SHA256
d5aada4701f8cf3cb22fa5092c98e784741dbf84d9905daf0928b9270a0ec11a

SHA512
266673cc361747987ac5ca1b3a0c136f8812405a4646b5be7df18639ee6b893eb26429a41c2fa0b7ddb250289af86fbb7893dce4ddf5b37cd22fa7aace2e2d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9493.tmp

Filesize
1KB

MD5
0ce4834f5cba48c98b0956c0de6d9169

SHA1
53e862ef50a712a43ebb11edbabe85edbc9011b9

SHA256
cd27cf9a36d0f791925d581b4f107536428026e5ec67ac8ec064cfb855d1c135

SHA512
3be3497f811339c6ce2f3d16d43e97d7b83da40ae1c54b6ac53e7dee23d71439318111a7967e16131eb46b62aae84ce54ee5a819cdeece6a9576df5595b3dbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb94C3.tmp

Filesize
1KB

MD5
992f3b6741f74aeba23a38aa61665501

SHA1
ea1dc14e3dbfd10e5b78e0c5c66b99c90bff507d

SHA256
6acbecfd4644be3ab04625dc517d812abdd0437d68980d55dcbda319f6e184c1

SHA512
32c6151a270aa32317fc2878ca216fd512379b48238448da383e68168e527265d234d7e63ae3603fb09929282b62c5fae0539222814f25d3e0268bac0b6c6d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb95E0.tmp

Filesize
1KB

MD5
dd6e920cae4262f4116706722b5c2d2b

SHA1
823c70ddfd94e4108001a2da7720aaa0aa721a39

SHA256
cce540819490859a84ba53c71b3a9e57978c7c1ef00114b24712037e0e5080a1

SHA512
30ef35e89e3150e9309519d14a270a36822b58a30d784ae1377a66b4655b428eb935c354d0fd4768e09d0115900ff1138795feddbffd98315ef2922cf44cd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9660.tmp

Filesize
1KB

MD5
0b8d921d6a673285be78a679f3d451f5

SHA1
5fd3370b6ee09ffeffaf1f2d1b472fe1ab2e44e3

SHA256
44914a1ee2dd069afc47dbc8e836adaeab915b6a652e25475e52e598b91a8b54

SHA512
eb3bde14a1c3dc5670f8d92b2c6f055b1b3408f89dafd22aea55f42d361ffdd4a1c19490f52d2cce2726ba2812026e493591dbebe9ad1a52ecc749749824af5b

Download Submit
memory/2936-95-0x000000000A8C0000-0x000000000A8C8000-memory.dmp

Filesize
32KB

Download
memory/2936-101-0x000000000A860000-0x000000000A86E000-memory.dmp

Filesize
56KB

Download
memory/2936-75-0x0000000006030000-0x00000000060A8000-memory.dmp

Filesize
480KB

Download
memory/2936-74-0x0000000006030000-0x00000000060A8000-memory.dmp

Filesize
480KB

Download
memory/2936-65-0x00000000060B0000-0x0000000006128000-memory.dmp

Filesize
480KB

Download
memory/2936-82-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2936-86-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/2936-54-0x00000000055E0000-0x000000000564A000-memory.dmp

Filesize
424KB

Download
memory/2936-87-0x0000000006050000-0x0000000006058000-memory.dmp

Filesize
32KB

Download
memory/2936-94-0x0000000009F20000-0x0000000009F28000-memory.dmp

Filesize
32KB

Download
memory/2936-44-0x0000000005490000-0x00000000054AC000-memory.dmp

Filesize
112KB

Download
memory/2936-98-0x000000000AFC0000-0x000000000AFC8000-memory.dmp

Filesize
32KB

Download
memory/2936-100-0x000000000A810000-0x000000000A848000-memory.dmp

Filesize
224KB

Download
memory/2936-76-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2936-102-0x0000000005390000-0x00000000053B0000-memory.dmp

Filesize
128KB

Download
memory/2936-35-0x0000000005390000-0x00000000053B0000-memory.dmp

Filesize
128KB

Download
memory/2936-113-0x0000000005390000-0x00000000053AC000-memory.dmp

Filesize
112KB

Download
memory/2936-118-0x00000000055E0000-0x000000000564A000-memory.dmp

Filesize
424KB

Download
memory/2936-119-0x0000000006030000-0x00000000060A8000-memory.dmp

Filesize
480KB

Download
memory/2936-120-0x0000000006030000-0x00000000060A8000-memory.dmp

Filesize
480KB

Download
memory/2936-121-0x0000000006030000-0x00000000060A8000-memory.dmp

Filesize
480KB

Download
memory/2936-34-0x00000000053B0000-0x00000000053D0000-memory.dmp

Filesize
128KB

Download
memory/2936-53-0x0000000005650000-0x00000000056BA000-memory.dmp

Filesize
424KB

Download
memory/2936-9-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2936-3-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download