phemedrone | hxxps://gofile[.]io/d/LGHMZZ

Analysis

max time kernel
90s
max time network
91s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
16-06-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/LGHMZZ

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7250665686:AAHW0YznZP8w-6An0q8-OF3zVVfXyjQuxLM/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1576	Loader.exe
2984	Loader.exe
4584	Loader.exe
808	Loader.exe
4876	Loader.exe
1488	Loader.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Loader.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 351179.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3900	msedge.exe
3900	msedge.exe
4272	msedge.exe
4272	msedge.exe
4308	msedge.exe
4308	msedge.exe
2244	identity_helper.exe
2244	identity_helper.exe
900	msedge.exe
900	msedge.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe
1576	Loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	Loader.exe
Token: SeDebugPrivilege	2984	Loader.exe
Token: SeDebugPrivilege	4584	Loader.exe
Token: SeBackupPrivilege	2456	svchost.exe
Token: SeRestorePrivilege	2456	svchost.exe
Token: SeSecurityPrivilege	2456	svchost.exe
Token: SeTakeOwnershipPrivilege	2456	svchost.exe
Token: 35	2456	svchost.exe
Token: SeDebugPrivilege	808	Loader.exe
Token: SeDebugPrivilege	4876	Loader.exe
Token: SeDebugPrivilege	1488	Loader.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1368	4272	msedge.exe	80
PID 4272 wrote to memory of 1368	4272	msedge.exe	80
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 4540	4272	msedge.exe	81
PID 4272 wrote to memory of 3900	4272	msedge.exe	82
PID 4272 wrote to memory of 3900	4272	msedge.exe	82
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83
PID 4272 wrote to memory of 1804	4272	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/LGHMZZ
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9d1f3cb8,0x7ffe9d1f3cc8,0x7ffe9d1f3cd8
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4520

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
1KB

MD5
85bc898183b1a5cf6d76a025099d781b

SHA1
1a9bb5f8e82470905f87cc675552127e1cbc2bb7

SHA256
fec5c12dda45f13b89714c3ae768ec04d5265c1fb2fca9dd0aeab08fb42fd25f

SHA512
857b3d782fe9923fa555607f309229bc5d63a38bdb272abe9e3d00676b090adf39f2285f0373b82e98445bde0bcd7bd1a23082de6c6596f3ea6c36dd261af232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f738fcca0370135adb459fac0d129b9

SHA1
5af8b563ee883e0b27c1c312dc42245135f7d116

SHA256
1d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63

SHA512
8749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
68de3df9998ac29e64228cf1c32c9649

SHA1
be17a7ab177bef0f03c9d7bd2f25277d86e8fcee

SHA256
96825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43

SHA512
1658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
6725c86771aea9d887722880d39f7731

SHA1
1dabfd42951871f31bf602a07f87da314afe56ad

SHA256
5aec0ed9c349776ec79ec185d91c1bdf3f05c35cf7b15df87e0a2ab12ed6336b

SHA512
0cd4bd5129c260d56bc5c816810feeef14ebcb76bad6007fe26ccd2ad5dfb3097766988f3b3376e713862b42141912ddb8910207db727f84d0bb3ba74d4020c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
1485bfa858f7fde5341e24d3dc3f120a

SHA1
7fa13e3b5a43ac2fb6f219fb8dd7060b8af15d41

SHA256
88b986ef2c0221bb88d085ceeacd4a508d9e87a95af19b285b7646aa2b1f7d17

SHA512
a251e5bc35fbd6b93ff0cf1c8523037624332a5e2abc74ae2d238d1473784980bde3ebeecf5b95ccd9824824f07cbeeb68ec0d1bfa9a08ba9eb04276d3ded2bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
b78541ecdb9c53a2a4a7f14ef7e7dffb

SHA1
15e45f95761eccb1b817d2fb888673e783234ab0

SHA256
398c29d5c339381c1895d3df5a07b1ea85bfb608420de5b5ccd525620d4e4248

SHA512
69a7bdb7d08c331caaa5d34ef95a2bbaa23d8f16743f9b8303cfac2aa84a4a77936c0c4ce5ae6b6a873c9c08e40e2ce603166f57c07ed8287e3a06b652419933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
fb5385a3db730f22c764dac7e487cf16

SHA1
bef23d7536eaef38b9374a7b88de842d673819d3

SHA256
946ac8a449438fbba34733d91ffe70b5d98af7fca0e46772a30f30d435278803

SHA512
8e96424c99981e71cedce8bee980a07f5e798c2df59cf0ef2962a71c9ded3ae128b35743a0f5d650bc9264178c3fd903b9c6e83ac7a270644e340ed51c5f4cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
8KB

MD5
8f558cc9af6a1a4da755d34f6e250763

SHA1
58931e17e9fe5e256e3217852b4049a8fa28f995

SHA256
7237a98d0afa4c4ccaeccc84f84ded9fe93389542010a1c89f480c46334b4d0c

SHA512
72c423b02bcd04bc119863655538809e065dae2569e691fb5613d6ecb660e534ab344ab80041afe901ff28a8fc077c46df88ab592ec953309bd8a8d3fe4db6ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fd29261ab392994d319d00f950e7c99

SHA1
fd04475dc4336762b998fe01c16bd433b30f0a97

SHA256
f864a922f6031152cf6d00ce6c95efc126bf08e91fbbc732d1e44e3e3a2e75a8

SHA512
02ac6542b8460c9563f23e1b7d268153a0e7805a44568fd449a56d2a73a6758f2a9513fca75c5cb2cb958684f00a54dcfb245d838d348e6e35392042f9b2e0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
602409623c9a0937c95625edf889b7f7

SHA1
df6bdd256f9f500920a8434ddf8944a020f2dd22

SHA256
33d22c020c9b7692c8fef74ecd54a1033b00cf1afd797638323ebc1da3f37c77

SHA512
4b4f0a189cdc1da3a9abf6ee6c473cd6f79344d76016625ee7e6b62bc851b8d51a3f3bcc3c0d7b46a1d27a83ba044927399b3c58cbaced102bf3b229886b6bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13363021444083881

Filesize
1KB

MD5
698fb740a3d6f091381afeee42f947a3

SHA1
a34b8793c674889adf2c320bb82db278fa1c83f2

SHA256
ae6ae203d7260c200ef46c5f3b7bd86cf0a3da4ac6b49d4948b8de23abc71119

SHA512
ca840f77aceaab159c08c83fec8ba083b6b6f2fce276af3d36abf5f567d1cbe8d807214f5111fac2523d19be7998d06dcd1e41744da254c05ff98a55e34aa7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13363021444257881

Filesize
717B

MD5
81d39d7e2b889962561ef16c66add959

SHA1
477777a47b0e0e19dd1729ff18bb380504a3dbd4

SHA256
7454cbd36cf8691d0f9ee00149d19336d0628d5f4b87b749a4d0026c9f3929a6

SHA512
516bafa80d5b1559f7dd8a13f4a46f657088d4dd7921ea914803dbeac1cf75ffd0e1b6b6d450de43d8afd063c72fae3e4d4373d410b33482cfe89de81818c32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
89d88ceb2049d4c71e6af8b9a74b1b6e

SHA1
f67ec6d46e688c7b5ec283d8975ceb2fdd4c2d58

SHA256
38f2ee5ddae519baf89c208e4193c62881cb16fc349a5333973a4bd1181db85e

SHA512
68a3fc21ad02205f0ffabc2a2d15ee7e9dc56b63412ef402ea7792c4cdf0a4724b1d7debd75940e4069661c9b1496e1d0666ea2b6126997b2fe47edc28aa0559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d6d4fc83293233abc64565bb2118c8dd

SHA1
73d968478af7febac4f189d33df0fddff33364eb

SHA256
2ace3105ea8712b0cdbabd139a15e4ed03d7de0e46c7df2a1b4084aedb46bc04

SHA512
42e1368d04b63550203b6ddd53d47c98633d1c337bffade6c8efbba29249ccda5118cf83448ce8ad61bbb38a858de2198d40fb4ec7284c1c6f64ff0cbedb1f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
0c6b15a5018290c48702183a28436f63

SHA1
19311ae913e749e768c7ac465f1db35b3786f8b4

SHA256
eabc372142bc0551394ccd9d7335705af3191ad1454d35e01e265fada98e0abb

SHA512
c8d76ff7586155f50f3c8083e0cf24d5ab9beb98a456d1e27d0c02183aac567c6c81b606d091e0e98b0a74e39eab1d56b2ff74121d84ec20877389334171de9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
3bf00e508430647bd00d94c23e1e9cc6

SHA1
1d8fb1909158e6f8120e3b449cd5635588b1c7b2

SHA256
e5c6f2707a38aa507907d3467ca13392a3efa29205b47aa0907ef0b7328cb8b2

SHA512
667f11117bf0706c875333e88aa10a882a49c10396a80b7fe0b4d1ca368ed78eea07cd45aca8a06d6b9b15cb8cb2dcce9893f483d4e396aaf3764641b3d18475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
32KB

MD5
b86ff3e21117c6d966035cf1b7351330

SHA1
5b2d0d3e29d35f76bc41e038e1e7d230715ccfb0

SHA256
53e6c5a07870931ee39215593ebe93fc7cec6df219cb20c7c04f54efad6870a6

SHA512
45f6ed097ac6536a669c1687ff2f5a370ef89eb41e72f8c5daddda7cd3c5b8f724b9a1e2df8889d48a072aa5c6a2520ed4ee17eed8cd2ab5d8ccd81614e6b48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
3KB

MD5
ea3eb20ad9ccdf7991c7cd973b58f0a3

SHA1
bce38741888e40e3a65fe3437bcde2edd0181ac4

SHA256
b8f090aaf86e4fda0d499c02f790d8e2c5773b1424dc2c1e3f956cd5c50d0f5b

SHA512
d6b685b6435d0ae92fe8b5d39d8ffb4da441789a594c442d076811b18d9e9155fdfe218b96382ff3c895acb525ea58522f2f2837a255e103f75b65ad1e1968c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
f5ea1f023e0f2723c727fa5b22ad93d5

SHA1
6b1c6376592405e492d15a00b4223aadb4c424eb

SHA256
71af7e1f6a8d9df1a71ba59cdfc57cedb5bcd8ae76bf617785bf2fc38bdcdc0d

SHA512
596e23dc3378e415d586e00150d2ca58cbafbd9f71d50074966f30a4e36b9192e85d493b9c1a9a62d7a0b0152b0e0718259f3c55f4d34f6b6bc96c11e40c539b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
567ba4557696aeabf0ce776fbeae33e6

SHA1
33400a19e0b03da0c517e3358b978092a69a176f

SHA256
692800924262674fc21e498477e8e729f00903c267bf1d04a0783a5f6846c81c

SHA512
def5f7ded08c7d9a0274ddfef68b779e23c3fbd18f7e32210fe40da091861b4114e4758c7680c312ce961c2429c2c7ce8bcdafcf6ee7da109b3bd2dcbdcb0bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional Data-wal

Filesize
4KB

MD5
ff348d91b2e2b68e5a611fd861642a09

SHA1
61a53a3772b6dc38276017e3ca1570b1a6cd4262

SHA256
4fabcea43acf755fc52ca432bc2022fcd7c6f8bd31b3c83b0f1273aab923705d

SHA512
522a4595080174177649a3d27b447cf1b989e0141ad49a797fec4aefffe2af0c48fd531483a647dc3a8321c7e79777e9d072d2472c0890a5233202aa181a40e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data-wal

Filesize
4KB

MD5
9c731bb8b73ff76249dddacd8edfe3c0

SHA1
bdd8bf5a050bf154bbd0b3e1cf27e5c682009efa

SHA256
6b30cdb7c52c4d3f0155dc92a8ae6a8997d336fc3d4c49f8fdda12bca57268f3

SHA512
b6d2c54e122197615b3b558fb703e94ab2908235c0f7c377611477dc18a521d9673cd01c574ce25490d871e42931e99e69acdbcb11928a297c6588310055f139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
0da1e61e200b8d34b79cbd5d12a5219d

SHA1
b095bc71773758447da0722ad6e498782b024f72

SHA256
53e19fe62065246cedfe75065aa732be38ca065193a29583a3c82b053c42e25c

SHA512
9e599b20f9c2ab6dea5ea6468108647350ef44fb25d1b30c8111009d06511606ee472b4b7e619cc62753c43d58d3d8e88a0f833b5849d3afda65ed9335041a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
d4fd7c5bbb017f8a05f75dc395988b3d

SHA1
3e5ae5c970569f4afb92f33b1a2d91f1a2ff8f6e

SHA256
621598c6c3153ac71e0757820fd72b949e126f88256341cac7b88a62dfcd50fd

SHA512
03115801cb121da271fda40beab651c61064b356a2f04102e405c32b8266d09031bdc626bc909d9aaba084d5b648ac7096018ac022869ce0bbba5b9c7fd44b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
083f9d6dd4aa02271282017cf643ccf3

SHA1
b235953ade92ec2ff2753262f86ecd5f56220510

SHA256
3c7c83c604d4aa0a4bf2638b4c1fe3e4e1cfbd8aabca5214c3e8f47ef80b5f02

SHA512
b0a6d62805a468c7945a8278cc94e8491a29726958d68543bb40f0f5969488b356a9d926fb11ee17c078e45846cc307ad7ed885f68e2ee775558eaca6e2d1f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a1f4da6ec35b204b6d0cb1d4a5af8642

SHA1
04936a4fb8d45aaaf722103856a744c1e49fb1e5

SHA256
b44118cc6d3f5e03add1966b3cb9bfacd57faf1e82df46f5bd4c09b9945e8200

SHA512
574089126cecb07e7578467ba5fcb2e71549e30ccdcecb635a2c06c4625263382fec976b5a62222886555e95bc004c848c2943b02a7055aaa02782397ac5c338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e4498fc09b3095824e925f866ae28145

SHA1
e31bc4621b28dda6a2bc66a482e2539b81cc464e

SHA256
31c6ebfbbc10ed9329889e5f8309ef50352efdf14903ded61731b2bc23a5f8b5

SHA512
c288d21d2b38d1c66fd8a7c06743439c7d23c83641b78084d8a2947acd0db0fb1db1da54e5ca50541894eb94eb3e75ccdaf80ecc4ca9a08bb3393af35cbd9eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aa94189d8a2a0393e540dc68b81ef064

SHA1
5cabe829caf3f3a088b26811efa64d23b78b9e91

SHA256
524bf2bd3f12830b12057a9e0612b2eec57924e953a9e4836f13e2aa11f01160

SHA512
f45231ce07c4d01bcbe127b2ed55585ab93cef16f3d95e8a59842e9adc3cc7860706a6454204ce8ce666591844595f6a9fc56d2c542a3a825e8d7cf59e4fb858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d9a89ab3cb2675d7e7ebf62788b4128

SHA1
1fbacaa942057789a87d3e3b9327846d191653f0

SHA256
3b6b312dc4fed3a605b408f6e7a3c154d9608a89fe7828a9d1bb295ca9754769

SHA512
68bb9a3233e0cc688da57cd11ac5bf63099483056c8c4c553a29f6a14d8a77dc14e3c416709e2165932b3dbea776529b46a6231c4225f14c31480fde6dce3f2e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 351179.crdownload

Filesize
116KB

MD5
9957ff72b98d2fd3819a1c3a5bb7c266

SHA1
27ee49406e1eaaf4ca84e9119baf83d79e199df3

SHA256
103b15ed69b33225af3886c39dca69d542aba6907567bea4f4854a80fe9ca34e

SHA512
52e8cb098534a39b7ad5c251db05fed8b414012f824ced61ba6dd53e29cb8f08e870c19a74906112f2fa3ba60abfcd1d7f3170ac27481a918b1b818bebcb251c

Download Submit
memory/1576-96-0x0000000000C30000-0x0000000000C54000-memory.dmp

Filesize
144KB

Download