Analysis
-
max time kernel
60s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 21:15
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/folder/5fNUhBgA#YJaxqOWN9H2LgK7Af3Hnbw/folder/gOk1jCBB
Resource
win10v2004-20240611-en
General
-
Target
https://mega.nz/folder/5fNUhBgA#YJaxqOWN9H2LgK7Af3Hnbw/folder/gOk1jCBB
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
SilverRAT.exeSilverRAT.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SilverRAT.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SilverRAT.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SilverRAT.exeSilverRAT.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SilverRAT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SilverRAT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SilverRAT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SilverRAT.exe -
Loads dropped DLL 2 IoCs
Processes:
SilverRAT.exeSilverRAT.exepid process 5532 SilverRAT.exe 5936 SilverRAT.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Downloads\Silver Rat [Re Lab]-.zip agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\c6c6a3e9-c361-49e8-8bfb-89d8d97e2f31\AgileDotNetRT64.dll themida behavioral1/memory/5532-240-0x00007FFD86070000-0x00007FFD86822000-memory.dmp themida behavioral1/memory/5532-242-0x00007FFD86070000-0x00007FFD86822000-memory.dmp themida behavioral1/memory/5532-254-0x00007FFD86070000-0x00007FFD86822000-memory.dmp themida behavioral1/memory/5936-259-0x00007FFD86070000-0x00007FFD86822000-memory.dmp themida behavioral1/memory/5936-260-0x00007FFD86070000-0x00007FFD86822000-memory.dmp themida behavioral1/memory/5936-264-0x00007FFD86070000-0x00007FFD86822000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SilverRAT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefnotaRAT = "C:\\Users\\Admin\\AppData\\Roaming\\DefnotaRAT.exe" SilverRAT.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 160 ip-api.com -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeSilverRAT.exepid process 4552 msedge.exe 4552 msedge.exe 1652 msedge.exe 1652 msedge.exe 4968 identity_helper.exe 4968 identity_helper.exe 5648 msedge.exe 5648 msedge.exe 5532 SilverRAT.exe 5532 SilverRAT.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SilverRAT.exeSilverRAT.exedescription pid process Token: SeDebugPrivilege 5532 SilverRAT.exe Token: SeDebugPrivilege 5532 SilverRAT.exe Token: SeDebugPrivilege 5936 SilverRAT.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
msedge.exepid process 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe 1652 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SilverRAT.exepid process 5532 SilverRAT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1652 wrote to memory of 4400 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4400 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4712 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4552 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 4552 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe PID 1652 wrote to memory of 3440 1652 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/5fNUhBgA#YJaxqOWN9H2LgK7Af3Hnbw/folder/gOk1jCBB1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdabb846f8,0x7ffdabb84708,0x7ffdabb847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4744 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5252 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e8 0x4f01⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe"C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe"C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023Filesize
21KB
MD5b1dfa46eee24480e9211c9ef246bbb93
SHA180437c519fac962873a5768f958c1c350766da15
SHA256fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398
SHA51244aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD59e422cfa5ca72c6ffee4d47a3f78ca9f
SHA1a5c4c501417389294cf1136aaa1ba18fd5fa92f4
SHA256ac1aedec672acdcf2993633774498155918afbe74795f119603b10b25a5018a4
SHA512a03323dcaa5734311c959c0ec7dd1e4a3e7adec8a9609fc7e6691a3bef4b1c0179d526d011f43fd385221695862104f2e5e54ca0a8a0fab1213f7084a54410e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e9f88688ec349728daef50e2b086ce9f
SHA15ec55ddd8fe7fed1e57c2af435e1895fedc16f68
SHA256f408bf9f99f47a2b232a688457b98ca946c37e27f0e320f148f0a7c79a24bb2b
SHA512484c18a9ca79767dbdc4021f19c4f821c3495238c573804c1257758e8bc24c280a6ffd2cd83d6344c6fb79f3c2f20c5bd7ee4a99881c98e7212adde0d6194b2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD587361664c1d915d817e954c8ac5caf18
SHA149ed31ec777005b1ecc30bc17c1fe2123c64d9dd
SHA256380c7303966c4afffeb58b41368afb6f8ed907b86efeb387b900055b1b2c887b
SHA512e614cbd8506fecf360f96f59dc835e44df09fde43ac62e396ea3c80ed37f74795370b68c07b9e10cf08fef84187746700296783d981ca95176984ff58a8c75a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f34a8176a4a3cf2020182fe45ce821f8
SHA18be27a760c8c1baf9a63d2b3a208393f42248a32
SHA256bd00d6b411e44be255b505c55353c3762093746f232c51224763859d5a5dcca7
SHA512b0b0a25c40ac17626b6886b2a1380f6660922c782cca4dbd6e6001d4279ada156e99bc62aa1d427e8a7fd24759f6945a4f4c15ad85d4f6274b57a5009b12360c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD56435b75083d49f9f7f31d49186e9a251
SHA1c753efbb6150e53c3725cea75ce483423e78e3a8
SHA2569117e7cb052e8df9bd5c3e160408d910c9e6d863c0be7af0ee9eb47b30d009dc
SHA512b5d3ee8cb31f059cba35d160f252f289a0e5a331943766f0b22e91285908b5303b208533336ce5729befa1635a7f4713d6a065888c8c759a236a48559c5a8205
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57952b.TMPFilesize
48B
MD56b29c52f7bf332183c0d71faa8257b57
SHA1396ee771e130e15578bee9093238b2be7c967a50
SHA256f0c0cf14c447e42232494b321426a9a957e36af7a9a923fa638966281b36e630
SHA51226fe909940b5ff4b1f6472341787be51afc48d8826b5aa8f0eacdecd88013a07896d45f3f991f30f7300cc06ae83a7c77be436cbafb7efe0d56a70fe3260a66f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD53c260a241b63f8f3779bc7aa8c4b4e29
SHA12bb7aa35cdb23761ac4cb80f9a5b4f06c791e47c
SHA256f560ebf3e4b364f0579b258aacbb383dcdae5c6ab8546d59c6a741e18c25d85e
SHA512fbce2af31ea24b1765439aeeb4895a92088ac2abdd0b6accdae1bb683b0f79bd54a38f3bd5f11992f21ebeb265e8fd62540a7ea327e7399b487eb18b049a2755
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5edeff0ea818d751a605756ca618527a5
SHA18735c1b711569a67c7682115db3c4195399a8993
SHA256b2a5a40f1523542ba27957ca23b050508e225190e7d361e91a5278ca963b91e6
SHA5128a774b46876eff38fa187a5b943686ac0c5c69468c6a4c6a8909cf6f844eebd3db80292ee56b87a2e364a23140fa53800bddf4d48558c624ade1cbd2cbf01dec
-
C:\Users\Admin\AppData\Local\Temp\c6c6a3e9-c361-49e8-8bfb-89d8d97e2f31\AgileDotNetRT64.dllFilesize
2.9MB
MD59bb6ed08af544d3738e60200d2804180
SHA15a40b484ca56b1ce59add4ec283e21d60070be02
SHA25686d49f3894cc3de038abcde03803de8b6f239c237f34930ce5c41ab725c26cb7
SHA51263e6b90457c3e3e6e419e30fe57e35c66e08059611fbe4ffb60d28acd6ee8d9f0ccfa31d7b27e9af44ab13512490f3b7b7f5130df947c5de50a937dcee0a91a5
-
C:\Users\Admin\Downloads\Silver Rat [Re Lab]-.zipFilesize
16.7MB
MD5790edc2abea74d4643863c2649be613b
SHA16c3d2abda3d903632de8fea72119115a1e3b58bb
SHA256a136241887ee84bdc283c3235d375109c3b215d0d2315921d8f101d671077928
SHA512d66066430e9b46faaa76be19794df4c5022f2d694b42b127b531ff4537652afa9f5a6b925c6ab8b1bed80c178c526a2227c4ac74c0dead3fd62fd23d851a831a
-
\??\pipe\LOCAL\crashpad_1652_UXWFYXEOEJZKIMQTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5532-232-0x0000000000D70000-0x00000000012AC000-memory.dmpFilesize
5.2MB
-
memory/5532-240-0x00007FFD86070000-0x00007FFD86822000-memory.dmpFilesize
7.7MB
-
memory/5532-242-0x00007FFD86070000-0x00007FFD86822000-memory.dmpFilesize
7.7MB
-
memory/5532-243-0x00007FFD97EA0000-0x00007FFD97FEE000-memory.dmpFilesize
1.3MB
-
memory/5532-254-0x00007FFD86070000-0x00007FFD86822000-memory.dmpFilesize
7.7MB
-
memory/5936-259-0x00007FFD86070000-0x00007FFD86822000-memory.dmpFilesize
7.7MB
-
memory/5936-260-0x00007FFD86070000-0x00007FFD86822000-memory.dmpFilesize
7.7MB
-
memory/5936-261-0x00007FFD97EA0000-0x00007FFD97FEE000-memory.dmpFilesize
1.3MB
-
memory/5936-264-0x00007FFD86070000-0x00007FFD86822000-memory.dmpFilesize
7.7MB