51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

Analysis

max time kernel
1800s
max time network
1157s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-11-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RippleSpoofer.exe
Size

15.6MB
MD5

76ed914a265f60ff93751afe02cf35a4
SHA1

4f8ea583e5999faaec38be4c66ff4849fcf715c6
SHA256

51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
SHA512

83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac
SSDEEP

393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

RippleSpoofer.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RippleSpoofer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RippleSpoofer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RippleSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RippleSpoofer.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3520-5-0x0000000000A80000-0x0000000002700000-memory.dmp	themida
behavioral2/memory/3520-6-0x0000000000A80000-0x0000000002700000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RippleSpoofer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RippleSpoofer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 discord.com
12 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

RippleSpoofer.exe

pid process

3520 RippleSpoofer.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RippleSpoofer.exe

flow	ioc
5	discord.com
12	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeRippleSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	RippleSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

RippleSpoofer.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{AFCB9FC6-A1C8-473C-ABA9-7A4E95EBAA21}	RippleSpoofer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{57C4C960-60B6-4750-8607-68E4516037AE}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RippleSpoofer.exe

pid	process
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe
3520	RippleSpoofer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

2312 msedge.exe
2312 msedge.exe
2312 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RippleSpoofer.exeAUDIODG.EXE

description pid process

Token: SeDebugPrivilege 3520 RippleSpoofer.exe
Token: 33 2724 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2724 AUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	3520	RippleSpoofer.exe
Token: 33	2724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2724	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RippleSpoofer.exemsedge.exe

description	pid	process	target process
PID 3520 wrote to memory of 2312	3520	RippleSpoofer.exe	msedge.exe
PID 3520 wrote to memory of 2312	3520	RippleSpoofer.exe	msedge.exe
PID 2312 wrote to memory of 3772	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3772	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 1776	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 5480	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 5480	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe
PID 2312 wrote to memory of 3788	2312	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Qt5NMSgdzU
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffa9df43cb8,0x7ffa9df43cc8,0x7ffa9df43cd8
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
    3⤵
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:3372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:4188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3552 /prefetch:8
    3⤵
    PID:8
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3388 /prefetch:8
    3⤵
    - Modifies registry class
    PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,5084162403102634940,15136283933612723200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
    3⤵
    PID:5920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
8817551b53f42b90bd292a121094a830

SHA1
ab6c9635c393a75418a7ed7ba86d963ee1d86ede

SHA256
f7610c2b6d1fc42288f59cc3a082999bef1aef96a897952cc8919e9d775418bb

SHA512
46434745f7f4800fe01898896b25e1e2d23b4585dc3bd9a07d90d9bc0e5bfe595a38777fdbc236ded5b99ddb3c1bb054d7c9f17a78434b064a523ade91964bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
537B

MD5
2d55c30d577600b7be3e0362597f43c6

SHA1
1bf377d4a631302be97f3f0b270ec67d2a54062d

SHA256
90addba74f40c76781af79143767fd8e6e32ab58e6de64c53b9584f0bcb678cb

SHA512
64d5089c6caa74caa0140109ecd113ee247450ee79e93bcbaa1272668c915522819f95f96832bf85610c9334d2b9cf786d90a3f2747f7283c814ed7277308b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a761d2018a1b6436dac615c950e8465

SHA1
6a5f254ff03ccf5686e96d18dbb7ce36092fa076

SHA256
54ad27d4d0886cccd883359c16d96f38cc7040de2cd808bd89538f9249ca5d9f

SHA512
2d036f1c766cc0a7019d74a55527bdeda36c920c0f332b94583bbc2abbb7de319b590399b39bcd89053a08147fbc4b35eb0cacf9a03ecebb4f13fa712d8ffa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c49a6f1deb7d54fb07674e820db258e

SHA1
554788d99f95436303dca09a100a874a97b2256a

SHA256
6955bf1081fd4b1017b7f366df652d270e2df39eea53355b56445927091190aa

SHA512
cbca535292e5913f8909c86d6cfa5535015a92481ecc75732c142b89b640b926bcbf4e2c4b3a4f930cdef3453e4d8d65f9a66f7a7a4910f546fbf56be1e1cbe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0fe38423df802f6a916c64361faa5abb

SHA1
0b145a851f6d02038d063bffe8e8a5714c77a3e4

SHA256
4d845cb157bd355d0d860030592adc9b8e406c29a6b1be9917c3fec8d04e5452

SHA512
ef7dd278c784a665b5dc49f66be7024eac6713f616b358a9b4742203b661946caac3623a9ed3cdc41cfdadf1394e3905adc97c32147413f931e45c2ce3755585

Download Submit
\??\pipe\LOCAL\crashpad_2312_KDQAOTUEFXRAJTDF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3520-10-0x0000000000A80000-0x0000000002700000-memory.dmp

Filesize
28.5MB

Download
memory/3520-28-0x0000023D60EA0000-0x0000023D60EBE000-memory.dmp

Filesize
120KB

Download
memory/3520-12-0x00007FFAA3940000-0x00007FFAA39FD000-memory.dmp

Filesize
756KB

Download
memory/3520-13-0x0000023D5D3D0000-0x0000023D5D3F2000-memory.dmp

Filesize
136KB

Download
memory/3520-14-0x0000023D60160000-0x0000023D60374000-memory.dmp

Filesize
2.1MB

Download
memory/3520-15-0x00007FFAA3940000-0x00007FFAA39FD000-memory.dmp

Filesize
756KB

Download
memory/3520-18-0x0000023D60D60000-0x0000023D60D94000-memory.dmp

Filesize
208KB

Download
memory/3520-19-0x0000023D60DB0000-0x0000023D60DCA000-memory.dmp

Filesize
104KB

Download
memory/3520-21-0x0000023D60DA0000-0x0000023D60DB4000-memory.dmp

Filesize
80KB

Download
memory/3520-20-0x0000023D60D90000-0x0000023D60D98000-memory.dmp

Filesize
32KB

Download
memory/3520-23-0x0000023D60DD0000-0x0000023D60E02000-memory.dmp

Filesize
200KB

Download
memory/3520-11-0x00007FFAA395A000-0x00007FFAA395B000-memory.dmp

Filesize
4KB

Download
memory/3520-29-0x0000023D60EC0000-0x0000023D60ECB000-memory.dmp

Filesize
44KB

Download
memory/3520-27-0x0000023D60E90000-0x0000023D60E9D000-memory.dmp

Filesize
52KB

Download
memory/3520-26-0x0000023D60E10000-0x0000023D60E56000-memory.dmp

Filesize
280KB

Download
memory/3520-30-0x00007FFAA3940000-0x00007FFAA39FD000-memory.dmp

Filesize
756KB

Download
memory/3520-0-0x0000000000A80000-0x0000000002700000-memory.dmp

Filesize
28.5MB

Download
memory/3520-9-0x0000023D5E9C0000-0x0000023D5EA72000-memory.dmp

Filesize
712KB

Download
memory/3520-8-0x0000023D44820000-0x0000023D44821000-memory.dmp

Filesize
4KB

Download
memory/3520-6-0x0000000000A80000-0x0000000002700000-memory.dmp

Filesize
28.5MB

Download
memory/3520-5-0x0000000000A80000-0x0000000002700000-memory.dmp

Filesize
28.5MB

Download
memory/3520-3-0x00007FFAA3940000-0x00007FFAA39FD000-memory.dmp

Filesize
756KB

Download
memory/3520-2-0x00007FFAA3940000-0x00007FFAA39FD000-memory.dmp

Filesize
756KB

Download
memory/3520-1-0x00007FFAA395A000-0x00007FFAA395B000-memory.dmp

Filesize
4KB

Download