Malware Analysis Report

2024-08-06 14:55

Sample ID 240616-rqlfxs1akl
Target https://gofile.io/d/LGHMZZ
Tags
phemedrone spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://gofile.io/d/LGHMZZ was found to be: Known bad.

Malicious Activity Summary

phemedrone spyware stealer

Phemedrone

Downloads MZ/PE file

Reads data files stored by FTP clients

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:23

Reported

2024-06-16 14:25

Platform

win11-20240611-en

Max time kernel

90s

Max time network

91s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/LGHMZZ

Signatures

Phemedrone

stealer phemedrone

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Loader.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 351179.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A
N/A N/A C:\Users\Admin\Downloads\Loader.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Loader.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: 35 N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Loader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 1368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/LGHMZZ

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9d1f3cb8,0x7ffe9d1f3cc8,0x7ffe9d1f3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Users\Admin\Downloads\Loader.exe

"C:\Users\Admin\Downloads\Loader.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Loader.exe

"C:\Users\Admin\Downloads\Loader.exe"

C:\Users\Admin\Downloads\Loader.exe

"C:\Users\Admin\Downloads\Loader.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Users\Admin\Downloads\Loader.exe

"C:\Users\Admin\Downloads\Loader.exe"

C:\Users\Admin\Downloads\Loader.exe

"C:\Users\Admin\Downloads\Loader.exe"

C:\Users\Admin\Downloads\Loader.exe

"C:\Users\Admin\Downloads\Loader.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15530078494572562551,12617919775456514382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
N/A 224.0.0.251:5353 udp
US 104.26.0.100:443 get.geojs.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.0.100:443 get.geojs.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.0.100:443 get.geojs.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 52.111.227.13:443 tcp
US 104.26.0.100:443 get.geojs.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.0.100:443 get.geojs.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 52.111.227.11:443 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 68de3df9998ac29e64228cf1c32c9649
SHA1 be17a7ab177bef0f03c9d7bd2f25277d86e8fcee
SHA256 96825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43
SHA512 1658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf

\??\pipe\LOCAL\crashpad_4272_ETRHZQFJHQLQEKOF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6f738fcca0370135adb459fac0d129b9
SHA1 5af8b563ee883e0b27c1c312dc42245135f7d116
SHA256 1d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63
SHA512 8749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5fd29261ab392994d319d00f950e7c99
SHA1 fd04475dc4336762b998fe01c16bd433b30f0a97
SHA256 f864a922f6031152cf6d00ce6c95efc126bf08e91fbbc732d1e44e3e3a2e75a8
SHA512 02ac6542b8460c9563f23e1b7d268153a0e7805a44568fd449a56d2a73a6758f2a9513fca75c5cb2cb958684f00a54dcfb245d838d348e6e35392042f9b2e0da

C:\Users\Admin\Downloads\Unconfirmed 351179.crdownload

MD5 9957ff72b98d2fd3819a1c3a5bb7c266
SHA1 27ee49406e1eaaf4ca84e9119baf83d79e199df3
SHA256 103b15ed69b33225af3886c39dca69d542aba6907567bea4f4854a80fe9ca34e
SHA512 52e8cb098534a39b7ad5c251db05fed8b414012f824ced61ba6dd53e29cb8f08e870c19a74906112f2fa3ba60abfcd1d7f3170ac27481a918b1b818bebcb251c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a1f4da6ec35b204b6d0cb1d4a5af8642
SHA1 04936a4fb8d45aaaf722103856a744c1e49fb1e5
SHA256 b44118cc6d3f5e03add1966b3cb9bfacd57faf1e82df46f5bd4c09b9945e8200
SHA512 574089126cecb07e7578467ba5fcb2e71549e30ccdcecb635a2c06c4625263382fec976b5a62222886555e95bc004c848c2943b02a7055aaa02782397ac5c338

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 602409623c9a0937c95625edf889b7f7
SHA1 df6bdd256f9f500920a8434ddf8944a020f2dd22
SHA256 33d22c020c9b7692c8fef74ecd54a1033b00cf1afd797638323ebc1da3f37c77
SHA512 4b4f0a189cdc1da3a9abf6ee6c473cd6f79344d76016625ee7e6b62bc851b8d51a3f3bcc3c0d7b46a1d27a83ba044927399b3c58cbaced102bf3b229886b6bc7

memory/1576-96-0x0000000000C30000-0x0000000000C54000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 b29bcf9cd0e55f93000b4bb265a9810b
SHA1 e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256 f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512 e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 d4fd7c5bbb017f8a05f75dc395988b3d
SHA1 3e5ae5c970569f4afb92f33b1a2d91f1a2ff8f6e
SHA256 621598c6c3153ac71e0757820fd72b949e126f88256341cac7b88a62dfcd50fd
SHA512 03115801cb121da271fda40beab651c61064b356a2f04102e405c32b8266d09031bdc626bc909d9aaba084d5b648ac7096018ac022869ce0bbba5b9c7fd44b1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 083f9d6dd4aa02271282017cf643ccf3
SHA1 b235953ade92ec2ff2753262f86ecd5f56220510
SHA256 3c7c83c604d4aa0a4bf2638b4c1fe3e4e1cfbd8aabca5214c3e8f47ef80b5f02
SHA512 b0a6d62805a468c7945a8278cc94e8491a29726958d68543bb40f0f5969488b356a9d926fb11ee17c078e45846cc307ad7ed885f68e2ee775558eaca6e2d1f6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 0da1e61e200b8d34b79cbd5d12a5219d
SHA1 b095bc71773758447da0722ad6e498782b024f72
SHA256 53e19fe62065246cedfe75065aa732be38ca065193a29583a3c82b053c42e25c
SHA512 9e599b20f9c2ab6dea5ea6468108647350ef44fb25d1b30c8111009d06511606ee472b4b7e619cc62753c43d58d3d8e88a0f833b5849d3afda65ed9335041a5e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e4498fc09b3095824e925f866ae28145
SHA1 e31bc4621b28dda6a2bc66a482e2539b81cc464e
SHA256 31c6ebfbbc10ed9329889e5f8309ef50352efdf14903ded61731b2bc23a5f8b5
SHA512 c288d21d2b38d1c66fd8a7c06743439c7d23c83641b78084d8a2947acd0db0fb1db1da54e5ca50541894eb94eb3e75ccdaf80ecc4ca9a08bb3393af35cbd9eeb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6725c86771aea9d887722880d39f7731
SHA1 1dabfd42951871f31bf602a07f87da314afe56ad
SHA256 5aec0ed9c349776ec79ec185d91c1bdf3f05c35cf7b15df87e0a2ab12ed6336b
SHA512 0cd4bd5129c260d56bc5c816810feeef14ebcb76bad6007fe26ccd2ad5dfb3097766988f3b3376e713862b42141912ddb8910207db727f84d0bb3ba74d4020c7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

MD5 85bc898183b1a5cf6d76a025099d781b
SHA1 1a9bb5f8e82470905f87cc675552127e1cbc2bb7
SHA256 fec5c12dda45f13b89714c3ae768ec04d5265c1fb2fca9dd0aeab08fb42fd25f
SHA512 857b3d782fe9923fa555607f309229bc5d63a38bdb272abe9e3d00676b090adf39f2285f0373b82e98445bde0bcd7bd1a23082de6c6596f3ea6c36dd261af232

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

MD5 ea3eb20ad9ccdf7991c7cd973b58f0a3
SHA1 bce38741888e40e3a65fe3437bcde2edd0181ac4
SHA256 b8f090aaf86e4fda0d499c02f790d8e2c5773b1424dc2c1e3f956cd5c50d0f5b
SHA512 d6b685b6435d0ae92fe8b5d39d8ffb4da441789a594c442d076811b18d9e9155fdfe218b96382ff3c895acb525ea58522f2f2837a255e103f75b65ad1e1968c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 f5ea1f023e0f2723c727fa5b22ad93d5
SHA1 6b1c6376592405e492d15a00b4223aadb4c424eb
SHA256 71af7e1f6a8d9df1a71ba59cdfc57cedb5bcd8ae76bf617785bf2fc38bdcdc0d
SHA512 596e23dc3378e415d586e00150d2ca58cbafbd9f71d50074966f30a4e36b9192e85d493b9c1a9a62d7a0b0152b0e0718259f3c55f4d34f6b6bc96c11e40c539b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 567ba4557696aeabf0ce776fbeae33e6
SHA1 33400a19e0b03da0c517e3358b978092a69a176f
SHA256 692800924262674fc21e498477e8e729f00903c267bf1d04a0783a5f6846c81c
SHA512 def5f7ded08c7d9a0274ddfef68b779e23c3fbd18f7e32210fe40da091861b4114e4758c7680c312ce961c2429c2c7ce8bcdafcf6ee7da109b3bd2dcbdcb0bb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

MD5 b86ff3e21117c6d966035cf1b7351330
SHA1 5b2d0d3e29d35f76bc41e038e1e7d230715ccfb0
SHA256 53e6c5a07870931ee39215593ebe93fc7cec6df219cb20c7c04f54efad6870a6
SHA512 45f6ed097ac6536a669c1687ff2f5a370ef89eb41e72f8c5daddda7cd3c5b8f724b9a1e2df8889d48a072aa5c6a2520ed4ee17eed8cd2ab5d8ccd81614e6b48b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 89d88ceb2049d4c71e6af8b9a74b1b6e
SHA1 f67ec6d46e688c7b5ec283d8975ceb2fdd4c2d58
SHA256 38f2ee5ddae519baf89c208e4193c62881cb16fc349a5333973a4bd1181db85e
SHA512 68a3fc21ad02205f0ffabc2a2d15ee7e9dc56b63412ef402ea7792c4cdf0a4724b1d7debd75940e4069661c9b1496e1d0666ea2b6126997b2fe47edc28aa0559

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 0c6b15a5018290c48702183a28436f63
SHA1 19311ae913e749e768c7ac465f1db35b3786f8b4
SHA256 eabc372142bc0551394ccd9d7335705af3191ad1454d35e01e265fada98e0abb
SHA512 c8d76ff7586155f50f3c8083e0cf24d5ab9beb98a456d1e27d0c02183aac567c6c81b606d091e0e98b0a74e39eab1d56b2ff74121d84ec20877389334171de9c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 b78541ecdb9c53a2a4a7f14ef7e7dffb
SHA1 15e45f95761eccb1b817d2fb888673e783234ab0
SHA256 398c29d5c339381c1895d3df5a07b1ea85bfb608420de5b5ccd525620d4e4248
SHA512 69a7bdb7d08c331caaa5d34ef95a2bbaa23d8f16743f9b8303cfac2aa84a4a77936c0c4ce5ae6b6a873c9c08e40e2ce603166f57c07ed8287e3a06b652419933

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 d6d4fc83293233abc64565bb2118c8dd
SHA1 73d968478af7febac4f189d33df0fddff33364eb
SHA256 2ace3105ea8712b0cdbabd139a15e4ed03d7de0e46c7df2a1b4084aedb46bc04
SHA512 42e1368d04b63550203b6ddd53d47c98633d1c337bffade6c8efbba29249ccda5118cf83448ce8ad61bbb38a858de2198d40fb4ec7284c1c6f64ff0cbedb1f34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 fb5385a3db730f22c764dac7e487cf16
SHA1 bef23d7536eaef38b9374a7b88de842d673819d3
SHA256 946ac8a449438fbba34733d91ffe70b5d98af7fca0e46772a30f30d435278803
SHA512 8e96424c99981e71cedce8bee980a07f5e798c2df59cf0ef2962a71c9ded3ae128b35743a0f5d650bc9264178c3fd903b9c6e83ac7a270644e340ed51c5f4cfd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13363021444257881

MD5 81d39d7e2b889962561ef16c66add959
SHA1 477777a47b0e0e19dd1729ff18bb380504a3dbd4
SHA256 7454cbd36cf8691d0f9ee00149d19336d0628d5f4b87b749a4d0026c9f3929a6
SHA512 516bafa80d5b1559f7dd8a13f4a46f657088d4dd7921ea914803dbeac1cf75ffd0e1b6b6d450de43d8afd063c72fae3e4d4373d410b33482cfe89de81818c32e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13363021444083881

MD5 698fb740a3d6f091381afeee42f947a3
SHA1 a34b8793c674889adf2c320bb82db278fa1c83f2
SHA256 ae6ae203d7260c200ef46c5f3b7bd86cf0a3da4ac6b49d4948b8de23abc71119
SHA512 ca840f77aceaab159c08c83fec8ba083b6b6f2fce276af3d36abf5f567d1cbe8d807214f5111fac2523d19be7998d06dcd1e41744da254c05ff98a55e34aa7be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

MD5 3bf00e508430647bd00d94c23e1e9cc6
SHA1 1d8fb1909158e6f8120e3b449cd5635588b1c7b2
SHA256 e5c6f2707a38aa507907d3467ca13392a3efa29205b47aa0907ef0b7328cb8b2
SHA512 667f11117bf0706c875333e88aa10a882a49c10396a80b7fe0b4d1ca368ed78eea07cd45aca8a06d6b9b15cb8cb2dcce9893f483d4e396aaf3764641b3d18475

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 1485bfa858f7fde5341e24d3dc3f120a
SHA1 7fa13e3b5a43ac2fb6f219fb8dd7060b8af15d41
SHA256 88b986ef2c0221bb88d085ceeacd4a508d9e87a95af19b285b7646aa2b1f7d17
SHA512 a251e5bc35fbd6b93ff0cf1c8523037624332a5e2abc74ae2d238d1473784980bde3ebeecf5b95ccd9824824f07cbeeb68ec0d1bfa9a08ba9eb04276d3ded2bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4d9a89ab3cb2675d7e7ebf62788b4128
SHA1 1fbacaa942057789a87d3e3b9327846d191653f0
SHA256 3b6b312dc4fed3a605b408f6e7a3c154d9608a89fe7828a9d1bb295ca9754769
SHA512 68bb9a3233e0cc688da57cd11ac5bf63099483056c8c4c553a29f6a14d8a77dc14e3c416709e2165932b3dbea776529b46a6231c4225f14c31480fde6dce3f2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 afc6cddd7e64d81e52b729d09f227107
SHA1 ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256 b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512 844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aa94189d8a2a0393e540dc68b81ef064
SHA1 5cabe829caf3f3a088b26811efa64d23b78b9e91
SHA256 524bf2bd3f12830b12057a9e0612b2eec57924e953a9e4836f13e2aa11f01160
SHA512 f45231ce07c4d01bcbe127b2ed55585ab93cef16f3d95e8a59842e9adc3cc7860706a6454204ce8ce666591844595f6a9fc56d2c542a3a825e8d7cf59e4fb858

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

MD5 8f558cc9af6a1a4da755d34f6e250763
SHA1 58931e17e9fe5e256e3217852b4049a8fa28f995
SHA256 7237a98d0afa4c4ccaeccc84f84ded9fe93389542010a1c89f480c46334b4d0c
SHA512 72c423b02bcd04bc119863655538809e065dae2569e691fb5613d6ecb660e534ab344ab80041afe901ff28a8fc077c46df88ab592ec953309bd8a8d3fe4db6ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data-wal

MD5 9c731bb8b73ff76249dddacd8edfe3c0
SHA1 bdd8bf5a050bf154bbd0b3e1cf27e5c682009efa
SHA256 6b30cdb7c52c4d3f0155dc92a8ae6a8997d336fc3d4c49f8fdda12bca57268f3
SHA512 b6d2c54e122197615b3b558fb703e94ab2908235c0f7c377611477dc18a521d9673cd01c574ce25490d871e42931e99e69acdbcb11928a297c6588310055f139

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional Data-wal

MD5 ff348d91b2e2b68e5a611fd861642a09
SHA1 61a53a3772b6dc38276017e3ca1570b1a6cd4262
SHA256 4fabcea43acf755fc52ca432bc2022fcd7c6f8bd31b3c83b0f1273aab923705d
SHA512 522a4595080174177649a3d27b447cf1b989e0141ad49a797fec4aefffe2af0c48fd531483a647dc3a8321c7e79777e9d072d2472c0890a5233202aa181a40e5