blackmoon | 4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe
Size

11.6MB
MD5

84a7fb37ada6574e16ce1e6411412d75
SHA1

9fd9a123ad8785b64f20f8cb0435d945b2150676
SHA256

4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4
SHA512

d07825ad96a4736dcf5070f3ecd72ae00294a61a7354b0f78decf32ece916c577a20ed842fa36fe3fe54302d26b39dae2e736958d681ad03dd093731152a2156
SSDEEP

196608:3k6EtwqLJYNZAjYUl8frgH3N0lDnt46PokOXuXiWWz0DIO8:06UwqdY8jYggrIWZz9XiWWzHX

Score

10^/10

blackmoon banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/5036-21-0x0000000000400000-0x0000000001AC0000-memory.dmp	family_blackmoon
behavioral2/memory/5036-22-0x0000000000400000-0x0000000001AC0000-memory.dmp	family_blackmoon

Loads dropped DLL 1 IoCs

pid	Process
5036	4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-0-0x0000000000400000-0x0000000001AC0000-memory.dmp	upx
behavioral2/memory/5036-7-0x0000000006D90000-0x0000000006E4E000-memory.dmp	upx
behavioral2/memory/5036-21-0x0000000000400000-0x0000000001AC0000-memory.dmp	upx
behavioral2/memory/5036-22-0x0000000000400000-0x0000000001AC0000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2864	msedge.exe
2864	msedge.exe
4380	msedge.exe
4380	msedge.exe
836	identity_helper.exe
836	identity_helper.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5036	4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe
5036	4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4380	5036	4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe	84
PID 5036 wrote to memory of 4380	5036	4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe	84
PID 4380 wrote to memory of 1808	4380	msedge.exe	85
PID 4380 wrote to memory of 1808	4380	msedge.exe	85
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 4368	4380	msedge.exe	86
PID 4380 wrote to memory of 2864	4380	msedge.exe	87
PID 4380 wrote to memory of 2864	4380	msedge.exe	87
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88
PID 4380 wrote to memory of 2788	4380	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe
"C:\Users\Admin\AppData\Local\Temp\4940cec93f81b37ae28a67e83c1bc366239eb0d5158f827f9e26f22665c527f4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jingyan.baidu.com/article/93f9803fe0b0eee0e46f55e1.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffe772746f8,0x7ffe77274708,0x7ffe77274718
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:4368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:2224
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
    3⤵
    PID:1256
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
    3⤵
    PID:3812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
    3⤵
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
    3⤵
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:3584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6574175108525797542,15041097531899225919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c6ed878e923d967be37e75543c8c186

SHA1
620c7b98272849ca3dc51ac77d88ca85846d7288

SHA256
dabea1ab4ac6d53051ccd5bbf3b2b820c1dc55a01c21095c3f8f364037849aa7

SHA512
20698fb0cf39d4a69b159c44d3305c93d482ca982f163358a6f8a227102fab65c9636675982c61eba3614fb45b6aab6a57ee750798d2280f6a7acbf760fa4182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22531654d6b1e20030ac932e7ef5c780

SHA1
e66a100b106d2ec13663492d8aaf27ce0519399a

SHA256
b3012d54182c0c24933b79019616ba5dcd0e9847459a53c2345aec015b9e3ac7

SHA512
ffa52eeab290f0003b02b157da7c78bdbcf63eb00f2f66b8c647280db11a6c3e68f6f0047747a0ade597d3c0dad511323a9ca4a5abc3d5d12d31874e8ae966e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
77d09b4acbfd61ab3b4715f570994c3e

SHA1
5dcb7f1325f6332c2ebbc30fcf6b6769a0a54d8f

SHA256
00718618c517844bb3a54026cad28252d7017d326488f8646f561cf0caf2d9cd

SHA512
0d7308176b29c899fc8e943a597768b59f00931f3135891bf6e3b5238372e479a8330472eebf51cd90d59f596be639eb8872de231d9533dd8642d48bd83b1685

Download Submit
C:\Users\Admin\AppData\Roaming\Downloader\libcurl.dll

Filesize
729KB

MD5
f28f2bc74c40804a95c870ea710d5371

SHA1
8654243c7de98a74ede2bcf45e8506f92e77d6fa

SHA256
cf6e5d1db6eb6965e639db3bdffaee8eb38c9a603ed5317e2e7c92e8ea7bdc1d

SHA512
2542aad8117f91a039d27fe4d844675dd88dc267cc8643c6b2820fc05ab1b02ee05c77d7bdc6d9f56a992572ab67bfaab32bda3b03947a2c7175cd16fbf5726b

Download Submit
memory/5036-20-0x0000000076080000-0x0000000076170000-memory.dmp

Filesize
960KB

Download
memory/5036-23-0x0000000076080000-0x0000000076170000-memory.dmp

Filesize
960KB

Download
memory/5036-0-0x0000000000400000-0x0000000001AC0000-memory.dmp

Filesize
22.8MB

Download
memory/5036-18-0x0000000076080000-0x0000000076170000-memory.dmp

Filesize
960KB

Download
memory/5036-17-0x0000000076080000-0x0000000076170000-memory.dmp

Filesize
960KB

Download
memory/5036-21-0x0000000000400000-0x0000000001AC0000-memory.dmp

Filesize
22.8MB

Download
memory/5036-22-0x0000000000400000-0x0000000001AC0000-memory.dmp

Filesize
22.8MB

Download
memory/5036-19-0x0000000076080000-0x0000000076170000-memory.dmp

Filesize
960KB

Download
memory/5036-8-0x0000000006CA0000-0x0000000006D90000-memory.dmp

Filesize
960KB

Download
memory/5036-6-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

Filesize
104KB

Download
memory/5036-11-0x0000000076080000-0x0000000076170000-memory.dmp

Filesize
960KB

Download
memory/5036-12-0x0000000076080000-0x0000000076170000-memory.dmp

Filesize
960KB

Download
memory/5036-9-0x000000007609F000-0x00000000760A0000-memory.dmp

Filesize
4KB

Download
memory/5036-7-0x0000000006D90000-0x0000000006E4E000-memory.dmp

Filesize
760KB

Download
memory/5036-1-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download