gh0strat | c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd

Analysis

max time kernel
103s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0.zip
Size

32KB
MD5

010cfb902cae00576e39556914eb7af5
SHA1

86bb5ed57999602fc4540ace6086a891c996e3f3
SHA256

c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd
SHA512

5c848b7e537208aafa0b52f94c7f6a0348f8d4dcdf46b1bfbbf05d6813e47fcceea1dd1c8a9368f9476aae28d571dd97cfa1770e4a76947d430f94b597d2a9d1
SSDEEP

768:1WNTeakdIbb8karXzilV7uUdzM1VyY8dLDFa1X87MEH2fZz:1WxeanbmXeF3doVypdL5amYEHw

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\0.exe	family_gh0strat
C:\553100.dll	family_gh0strat
\??\c:\windows\filename.jpg	family_gh0strat
C:\Windows\FileName.jpg	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4980 msedge.exe
4980 msedge.exe
2924 msedge.exe
2924 msedge.exe
2904 msedge.exe
2904 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2924 msedge.exe
2924 msedge.exe

pid	process
4980	msedge.exe
4980	msedge.exe
2924	msedge.exe
2924	msedge.exe
2904	msedge.exe
2904	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2924 wrote to memory of 4004	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4004	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4708	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4980	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4980	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4048	2924	msedge.exe	msedge.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\0.zip
1⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://appdata/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdcd9546f8,0x7ffdcd954708,0x7ffdcd954718
2⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,12765179002083332021,7978885197056739900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,12765179002083332021,7978885197056739900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
2⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,12765179002083332021,7978885197056739900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12765179002083332021,7978885197056739900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12765179002083332021,7978885197056739900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcd9546f8,0x7ffdcd954708,0x7ffdcd954718
2⤵
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
2⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
2⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5012 /prefetch:8
2⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
2⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6475932515626230638,5151875094135034980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
2⤵
PID:5940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\0.zip"
1⤵
PID:5316

C:\Users\Admin\Desktop\0.exe
"C:\Users\Admin\Desktop\0.exe"
1⤵
PID:5580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
PID:1608

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\553100.dll
Filesize
64KB

MD5
45dc749351fd65d71da89ca2ed2766cb

SHA1
e080faf81157b7f867cb56938c5e579c206af9b9

SHA256
391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25

SHA512
7e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7bd9a1f4-65dd-4620-869c-97cc61473b52.tmp
Filesize
10KB

MD5
dc1e044953715f1217b63f5d366fba23

SHA1
3cab29e1e73f7c522e627727306f7c99b8a74acc

SHA256
70329e6ab79b6b41c2c5319e16f3c75d0ec7b9e5d6a86a939fb9db7edeaeddc9

SHA512
be410486d1b59922974a4c064c44adfb3996cad0a54ae8cc9ae9e628bcceb551cf91f74998abb22afaa367232621f33ab8142b7aebe8e50b4b6d724ef3f3fcdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f2e3885a1beea7c60ab54f8741501127

SHA1
00425ac15f68498461716b3ffb46782c30dacaac

SHA256
8379ce8898da3f421476c92ea32d5eaeb6905b56200305cfe030cbe991e40771

SHA512
5cf56d9b28b01cc93992b5613aaf8932743c5cf7101f6a326e48fb6f4cd8b07213e477f0f44ac9e775543c43a5f3d73e17c8763a1ccac276c8b0785e8a7f908c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4ff53311-b39c-4060-afa2-3787ce1ebb8e.tmp
Filesize
24KB

MD5
d52dc2ca09d662937e3e669200ec0cb9

SHA1
d61e36c11bd13511e35c2221ce2d82f509d38e91

SHA256
288af9448609160db5ae774bb18de8d77e367e51f21919a22f85fc1954140fed

SHA512
dc294f662521adec1ae09bf0e53de9de7ea1f17f8cfa5ed42b1310d0127709e2755d586e6329fcbdd65a10654d5157f895809fdd95bfdaf2c72b704d70843eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
fa9c7e940d15216cfc00f85f9d5e19a0

SHA1
ec1eb94451176853c6c7ea929965d7f47f2e3bf5

SHA256
a9a31a277fc25ca916c974a006c7b8c90fa1d8051a3c713c5629aebbab21f0da

SHA512
7b1ee0905c36a11e2cdd341d71489287a59ec103bcce1df340cf4a93f979faae559c7d2b894933624f11d703a50aa30380bb33df79ff105378423ba33536cc29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
3e582dce8090b452eb7ceb929ab2070b

SHA1
a37f273f905486affed066b5fbb3714ec08cb71d

SHA256
acf9b29eef746425a519a1273700ece2356f80ae207a79892a5e6cde13f66b47

SHA512
019f57e4328421ddcef0fe3fd7ce290bc202dad318c8cb824f548ff3d6a309c6cadddcf237b63cf4d7dfbd8360147f7352e82b91b9a701072dea872d407d1a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
Filesize
322B

MD5
007ea23f75d558dac6204f884ea7b030

SHA1
51dbd4db2d82c554ac81876f46155b2258f2cb1d

SHA256
cab8d51465c128c877fa811e61f3fe2b5c8b37545c35f30b744241b829d6b119

SHA512
fd4f2ea5d1db8c27c76124d08cb3eb02d6a3fd13022881f8b9205701969149892096d4cbb30ebfd0e243341c9c5b677bec7e7081fb67f707d5ebf1b2a341c174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
83KB

MD5
e28ff58528a06c949ddaa8b55b0ab0f6

SHA1
bd1dd2cd8e5a66e0399c113d021d774f5751b60a

SHA256
da0dc68464f88af2eddec3ea66ff26bf6d6ef0742501794339275f118f8c373f

SHA512
1776d722621e6250b9cd9a43033b0aec9394f8cce9d6e3a4b5aeee8183654e3f1633305389874404f07336c61dcceb6d538dab8387707b44ccb42b9269af8ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
334B

MD5
71f6950dd9d2879d49de714548427fe3

SHA1
6bc02c6703088a6f1d9d241c4d2d06a992d0c961

SHA256
763b271e44bde276b1f6ac6301bca297554d0e1d70491691eb549203c171b22c

SHA512
c44e1b822d4f947be30aef7e91009576113850ccdffd266faddc6ccc5fe498c76f5c51c34a687bdb05459f0cb7550556408d22a244cd75db6c5fac40f01dbd6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
b4c5f84f3419a77a8f4dc16ac524432c

SHA1
e7c20764690d7a4fa7ab2deaa10ea5b91d5b28f1

SHA256
5f1c4154811b1bc4ed59a02a2aec0ea0c8179782729ea52cca5e19051d3e5acf

SHA512
c28876413d6253436f04ee8e60054ab4dcfbc4bbf1bb954fff807c66943b4d3c6ed8c816b9e14992b423d9f7bf6283aa4ba47e70ba894b5a1f3c7c08b3981177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0ccfdb8246a9bc335a8cf39c0313b198

SHA1
1b1d14549177435e163ebba71b8b41a1b0478f1c

SHA256
9408f8f0cbba39a2e1ee3457cac510e285c1d1892a18992de5c2bff5b4189568

SHA512
b4d259ee7082b40946f0087f2d912d860626ff3fb7215bd7b8ecbe075dda54633c9a5408d08fd736bec0a15f1971bbc749ec69c4c9c112af7338bf722b38c6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
54f37bbe18275f7f6f384e0e8c6e84d5

SHA1
e92a4abfa6ab46e892ffe484308dd2dd5c4fe741

SHA256
4332dde48351d489a88f7fb276c4a9375e7f18677b8950b8a508be0ba512cdb6

SHA512
8f298ce0ce60778ddad2194e84c546271865c1f778068e0706915b08d6a488dcc32afbadabb6fedb0dd89cdfb22a080962d1f77a65d525cb56d26d91f7ca6fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b57a9b898079269dfa5ffa1856d0b8d0

SHA1
e6efb3cccde6b9576e906bd09c5745f2f595db5d

SHA256
a3040253a285fd5039deefbb77911d640dbbf4327a5baaf268415ac84827b8a3

SHA512
6cf8642640e9d4ec633c9f74cebc7fa0e60096de8e4956f6581033b43a671430f929759f651eb933c17dfb01fc1c362639d87387422c6d8197d4f45be1914b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
Filesize
99B

MD5
ba92e5bbca79ea378c3376187ae43eae

SHA1
f0947098577f6d0fe07422acbe3d71510289e2fc

SHA256
ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f

SHA512
aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
322B

MD5
a7d28bf8bce8253721165f185f5eaeba

SHA1
18437641d05c472b787cd9310cd38cf622e06afc

SHA256
bb1428d719860074bce9ba57fbd33a025f3f40b1d715af3c2894c61359415b71

SHA512
6955777b5cc4cfd78f406f455e2b3a65027b520ac2445ec180bc964ec51801c3b5b1b314f01d0c04c035301f1d62abed25a6c38381d15d57e85dff2c578d529f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13349907860048664
Filesize
454B

MD5
4aefc59a4061d3d18cb17d5b791444be

SHA1
1ace1e6eba50c0c42c86245487f72ba3571638ad

SHA256
9ccc85e3bd18599b6c90822c6f47922adb666b621761b8877fada0932a783ef7

SHA512
00e0d6c1c5a4273de16b743d25c9f2751d510b27a2da7d297c1a8b4b1c9a1ef678cbea8f64a63b0224507f01129e95597f97080c407b26c665cfe3b69f0397cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13349907860050664
Filesize
1024B

MD5
576e23e68c16e414b0cbf0ebee534573

SHA1
8a0a6edf6d80d79365ffa62739d18f1bf892c925

SHA256
6a76d4932f20eeb7fffb63c3fe8946034c67984bc888a5e23e2f72cbee4a814b

SHA512
588ee23ab0587f0466a3cdb5b484c302e49c77605b034b4abe86c969da5fe4784287bff3a491dcece673725727ecf763ff1fb66215d62b76e610e13108f5e601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
7b296b7bccfa1d82a0660a5667eeef79

SHA1
482ed56f5c4e5a46e7e68d86dbdc9b4e974a25b4

SHA256
a0617e9da12b322e7190e1a2389c4265bc01cf9911d4f523da4ffd3a508c1f36

SHA512
f970b8d4c15f08c98d8c8cd2e082bec3acaf0016011dbefa847d47d6ee6925dada578fdac6ab002c26bd63309830a95df1bd6d4cb707396fe273d902aa3c6b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
e6165a0c35e635b78696ca0bc9108ed5

SHA1
660f1ff5d2e3c4790303080cfe85132ff04e81e1

SHA256
1ba6a32d2d9944fabaa1ad0a5a6fd3602cdf36e1b20fc3b9f4b90b33b2effd64

SHA512
194769d37b0ab85a29ea4ab0524c09d76903847c4a8bce2f2690723b2b34dd219b0f6b549628bee23b1c0e51934a55bba5125461416fcbdd805f715c63a5ef63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
f814c3763510e472f3908e5c371b223c

SHA1
bfa7854fb52560485468b806b7afed596bb96d02

SHA256
cc03e3d2ba6b070d6857a0d8ec7ef2540f3216222f01d2dfd8975e229fb0e8bd

SHA512
8de966fb078df5c7126770d180daa4d56ecbfefc8d95a29c3ae21cc9eaa9cfdf9aaef978c9f9bb11c59f3d4bde1fe1b818a0f0a9a7c8f9087e283e8af903e953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
710f8a14bb178a5d57140a341b61f249

SHA1
03bdf969b3b7449b6a586a012e2c4b987fd199b9

SHA256
112fbfff1211e8f57f10ff053dcf18616380f84047d0e4ac21d201477d6f398c

SHA512
f01ba15ffece9654656149c3c0747cb4ca02ed304737ce3fe3b390a0fb50324a325520b47dab0d7a8a60d9a3784c5ea4278b670f15f82bdc272a7fdc60b89842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
565B

MD5
dbb805a0ebd21bca3d0aa93ccd995326

SHA1
d839471308547b9fba1fdb2d4d9a120df099367b

SHA256
218e73d1cc5296bbf8382d9951d4ce0740edb39dee874b2b93e1e3c34115440d

SHA512
878fffc094ed461d24088ec641c317044cbd25deb24dc19d2c24d5d90104819c1c45e9d65aee4a188969ecd4ff98a20b93db13e877e024079cc5e8016a4ba879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
12ed6b99e1a836973a2ae90ce45016e7

SHA1
7727e5551df11d1e6b6eee3c1b8a8dfaecd2ba06

SHA256
45ad6fec3140fa9d30fc63cbcbcd12f09cda1dcc880dcaa12b245229b313aa2c

SHA512
e60602e5adaf6247303e6eb85f192273752cf34c63c7bc9a89a85e7f70a21249ae8c22a2a9463918432dc65c1c88b49a46a9c6f9e52281c21249eda05a2d962e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
2f65768bb8a7d6eb7feed4814bcc28c1

SHA1
96914c1ff2624361e58a8d594d1e0671f1c72455

SHA256
0d99de3bb6eb0148c9714aa1b969c50556c4d610852325ba66344b0c68a8a1fa

SHA512
979e4642266013d45a94d3b439a4c4a06db31eea89dcc1cce2a17df76d6b8d2dce16ff17ef93089ad9ce6da61289a2273d6d199305946fcb9150e4e88e651ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
749a99211a1f3b509a83cbae38fc3cc5

SHA1
1fe6a80257be5900d3dee44273c93c4ada869026

SHA256
c5137151816cdafe508e0ed513047febcd246976596c7f245dbe739dfadcb9f3

SHA512
134ce50522e069bdb53e72df29339d59d3de77bdc0e10fe0a9e023f4bddb5dac97f7898d9c9660077814a3b4e35c0af94a517de789dee6fbf27d63a5bf95fa2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
2.3MB

MD5
f715f1b33457fdd50203ec187747c3db

SHA1
be4479de8adb06e67b2918fd3bbf8fce72244558

SHA256
18c98d2e7e02d16e81f5ae1d8a6bae3bed61ca302d57c7d982a06eae8bdaebc4

SHA512
a30a26c584e93dcb59179fc1ac9e2c802957d0428932b121214628ac52236159c8ba673ae31bfa92f76bac786a8b3d35133ceb989c43bbf1ac3cf57a84adf92e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c162147d6f240ffade4ac8c1af7616a0

SHA1
b25f3af87fa33bfce37255d89f3661698af1efbc

SHA256
07fcc3ec974d4c88a875c1c7eb66c3a2733e71f9e48aa96ed847cc2bb11fe125

SHA512
bc8665349d35436945b397086fee23768508a9ae6829faa6ae7367d4b01771a4ef198ab4ca1e3e867f9d9a2c1174ea4e6b4a9f7995e8a71741e46517f20757c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
Filesize
3B

MD5
1b0cb513f2ac66101ba793bf6072d1cf

SHA1
c54e9c30011b3201d38fb98c3fd76fa8efb065ff

SHA256
ee0821d1b8433ed22d0d739b16c0fc1759f0afcb8597f353e4d9a0268dd47e3f

SHA512
f498f1c3daba7f6c6103c35dda01fc777a894b650adbabfba1bfc19ce7731dd6eec79af9b0fef626cd1dc1182001cbbcda9156db778935c11fcc19f35bdf553b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize
4KB

MD5
eea8836a44ad94cfb4858964877f92e2

SHA1
b4c7e116ac727dc7a009332303e584c861f9546f

SHA256
c51bd729df4193a631f4ef17df5efeb671ec07524533a798c5c969767a0ce187

SHA512
c93f320d8440cc5f33f96370a139cfe519bf2ec75a4c2fd4892d7304fad89f6907fed32daab2e67af0e3dbf2d0abb6f67bd70cc78edf3b3ab709039a99ff9345

Download Submit
C:\Users\Admin\Desktop\0.exe
Filesize
71KB

MD5
2a9d0d06d292a4cbbe4a95da4650ed54

SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc

SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c

SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d

Download Submit
C:\Windows\FileName.jpg
Filesize
786KB

MD5
82364522d9ca66d17cc9f2581536f141

SHA1
b6527940be61493bde1895189f2c76faa37b2622

SHA256
fe56f5b5a229f399f7d3b91d53420623dc8f0cfbcec5ec330ebac63ec57cd549

SHA512
2c368bb98945d4387de12f202aa36cfc997f1630f12eecceb1d1636caf384a704941c08fb627cc0b35a8cc5663ba3ee542f49aba76f0b341f2578473a78f7e79

Download Submit
\??\c:\NT_Path.jpg
Filesize
42B

MD5
00321f6b3af8934def466aa5fe918368

SHA1
b6eb6bb7b1bb0e05b710bfb8793aaf790ac8d61d

SHA256
2fc5c1ded0c6655e04139d1758fc123d89499887991a7ae7c3e3c8c7d33974bb

SHA512
9b707350cc7b4348c202ed75d4c8b7e799f64b9dba2069c9fd7e6f8b979742c587e8e6c6ce82f2a62e182d4d195c84a605502cb0813506bb3fc8381a7bbf979d

Download Submit
\??\c:\windows\filename.jpg
Filesize
1.0MB

MD5
3d73d127bd0c081867ecf05f93751586

SHA1
40f954402bee83df3eeb155049daf069ed373618

SHA256
09992cf65f63cf6bb2bf057e982bc5be676e89b28b41ec5da1bb58d59a685967

SHA512
a0fe31dd27be8114487356de1088b2f6cfe49690251da23f5ece30cab474e576a602a5b26a4f544b5bf2963d5b7f0ef86e432663781c5bb1e28b7d9e74dfbc54

Download Submit
\??\pipe\LOCAL\crashpad_2924_SKTXTPDVOLAIXKXL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5924-251-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-250-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-261-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-260-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-259-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-258-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-257-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-255-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-256-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download
memory/5924-249-0x00000207D4DE0000-0x00000207D4DE1000-memory.dmp

Filesize
4KB

Download