babylonrat | hxxps://github[.]com/PSXDupeing/Free-minecraft/blob/main/Minecraft%20java[.]exe

Analysis

max time kernel
40s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/PSXDupeing/Free-minecraft/blob/main/Minecraft%20java.exe

Score

10^/10

babylonrat trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Minecraft java.exeMinecraft java.exe

pid process

2568 Minecraft java.exe
2592 Minecraft java.exe

pid	process
2568	Minecraft java.exe
2592	Minecraft java.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 131378.crdownload	upx
behavioral1/memory/2568-203-0x0000000000A40000-0x0000000000B09000-memory.dmp	upx
behavioral1/memory/2592-226-0x0000000000A40000-0x0000000000B09000-memory.dmp	upx
behavioral1/memory/2592-228-0x0000000000A40000-0x0000000000B09000-memory.dmp	upx
behavioral1/memory/2568-238-0x0000000000A40000-0x0000000000B09000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

47 raw.githubusercontent.com
48 raw.githubusercontent.com

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 131378.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

3508 msedge.exe
3508 msedge.exe
3632 msedge.exe
3632 msedge.exe
1388 identity_helper.exe
1388 identity_helper.exe
2784 msedge.exe
2784 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3632 msedge.exe
3632 msedge.exe
3632 msedge.exe
3632 msedge.exe
3632 msedge.exe
3632 msedge.exe
3632 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 131378.crdownload:SmartScreen	msedge.exe

pid	process
3508	msedge.exe
3508	msedge.exe
3632	msedge.exe
3632	msedge.exe
1388	identity_helper.exe
1388	identity_helper.exe
2784	msedge.exe
2784	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Minecraft java.exeMinecraft java.exe

description	pid	process
Token: SeShutdownPrivilege	2568	Minecraft java.exe
Token: SeDebugPrivilege	2568	Minecraft java.exe
Token: SeTcbPrivilege	2568	Minecraft java.exe
Token: SeShutdownPrivilege	2592	Minecraft java.exe
Token: SeDebugPrivilege	2592	Minecraft java.exe
Token: SeTcbPrivilege	2592	Minecraft java.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe
3632	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Minecraft java.exe

pid process

2568 Minecraft java.exe

pid	process
2568	Minecraft java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3632 wrote to memory of 2108	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 2108	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 3508	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 3508	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe
PID 3632 wrote to memory of 4868	3632	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/PSXDupeing/Free-minecraft/blob/main/Minecraft%20java.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83e1946f8,0x7ff83e194708,0x7ff83e194718
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,371111637781297448,3767745790253607241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Users\Admin\Downloads\Minecraft java.exe
  "C:\Users\Admin\Downloads\Minecraft java.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3468

C:\Users\Admin\Downloads\Minecraft java.exe
"C:\Users\Admin\Downloads\Minecraft java.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
09c7ae658385f6de986103443217840b

SHA1
298d880503edce4413337c09d3525f27a2edcd28

SHA256
91e04ec38abdb0204458543592c4621b7bc0306407884f764aa9596a52454cd7

SHA512
4e1272b209487d1e9e7d8502be49ebce91c76718410e817b3ac7faf47d9b699210aab1b941fbb5ddafc192ddf4b2ba151afd47fab753ec62bc0bca36039c55c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c78617ec8f88da19254f9ff03312175

SHA1
344e9fed9434d924d1c9f05351259cbc21e434d3

SHA256
3cb47fcdca33bb3c8f4acc98424140987235ad79815da4f0e7593e4591ae90ed

SHA512
5b58675088b0fc2b2d705cb648ea89385b80c7cf908b0f4f95a9acdbd350b50754e1b586202db6a918eef70029fafb210947f3c43c570ecf7657e08939fd7e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d0d0c4bca6bfbc887eb0b6923e2674fc

SHA1
b53c879971f7899f04c6d3c53e6833ed478bbb73

SHA256
4678dd0c4803ae205d50fa3f2e2a877dd93bde879351b8c269dc1ed6d8669887

SHA512
0e9d3160a2b3bf5e95636a0432f39ffb1a5e5d7c7289b6fdc7d2cfc6059ba901d23a2328d0ad81f14bf2dc9079828ab48c5b844d9ba5a55f47a4019f55066424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b55eae2ab678286b0f4c9bd47c6a04fc

SHA1
8e86480a43d2adb1df7c487a5f5dc64df43fa821

SHA256
2d38a2ca7a1621109d56a44f7e765bcf148824b090b8a0056d878dab45a50f86

SHA512
1149f08ffdf624ab357d32d922bdc757243dc782481c01adcf0f2b6daf8455190359cdf6ccd91b2b12c1eae4a1039080b8cbbb0eda79a464d2b4ed80a0365a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
398bb972ea6e3ac8473e82ff3142556a

SHA1
e9ec062c04f5cd00e7eb764ab0cdf15c51a0a7a2

SHA256
736503d856afaab2844147100716c3c120c1f76985dab05414df83ca891954cb

SHA512
ef6e52b67d2e9259e30c7a5467bac8d231d6c0fdc5398812577c5dde7c16ae4c5362143005f46b5456b959cf316e0320cc46a47010fde8f12177163e8f00939a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d513fa3eb6eb446c6f193a5fa471e20d

SHA1
f522c42264adbe7bbede24decaeeba19997052b6

SHA256
7d64d706d6dbf50c64987335ab0aa96b30e88fd6a430751754b42d976bdc9522

SHA512
b6e8e0c33e11c32d9640c3c8bf2bc54f728b51b546c131be35a435f09c44c595afc5f2ce8da540607f38faf7beef858db17a6077aa4c88531d074cb3b2f40c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a1c3126aaf9f41e8efbc998aff4d6779

SHA1
f28fd6058f19909c6c028b449d216b46afb222bc

SHA256
c6c2c24e4e02ca11316d02666478a7f0f25afa71af3e44a024b871509160738f

SHA512
03005767118c120ba5b3f946c206266ee869312c22601581f4f43e49cdbbec9ca894b1fe90b43fb1313c9da8ac481fe2542ffa19e9837dd7f7463ee03c7c01bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580e63.TMP

Filesize
874B

MD5
6e5ace7bb82374ba57c489c09b9cd83b

SHA1
9cbba71d7df69dd3f72dde9f742125e40d5652b7

SHA256
515fe7309ad2da910154f1f5acc270e209109c2ff12d388145cd9cf7999f2eb7

SHA512
6d9bef16c337a390649b2f21c919d29a038e3b900f4067355f8f990b4f00c5805bdffd2408b64c19ff67aa1a725224c51a2040014ec69213ae1f32bdfad14127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
abf5175550435f788b3a564c5210fceb

SHA1
44e4981394ace11aa64e787130d65506758d63e2

SHA256
64ddd13617515ddc889bf0644e965dafaf165ebfcf418dbbc441eab6b14b111c

SHA512
06eb7f57d89aeb370d52a82b963565d7a42dd55d408472644763ca010b6207777ea3112f1c7c066651ad34bfc97882c12a8eb6b5c9d5f47b315b9cb17c430360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d2d62c5eba664cc43a67b8ac3efdddf4

SHA1
77d14524b3c1c9f8e4537134c4fac134805af4a8

SHA256
370791afac39711d2c4d8245d7deb433a2bf5bcc1d29887de9382ec5d103ac28

SHA512
4cfb27a190d5a4ee079d0bcd4cdf0c88015521e9900b8148cec5fb26e1ea9c94bf81785dcce31afcd93302d1983f58a51cd2ac2e1dceb85fbcac3fb105eb70f9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 131378.crdownload

Filesize
355KB

MD5
023e3201d0ba0f0e2c1b3985e2f8b83d

SHA1
efcc3c1491900c5727e5cb81cefb59aa300f9d1d

SHA256
df373b188345995b7b516126a71960745c485c3fb258252d4d6122852ad9c5ab

SHA512
5b6c51773e34e43cea6ec62c6b361fcdd1898522d3e7f1a3ea8bcbbf72b6b70d0f39603faf804756d98ce6f509261bce60605eaa5b71a5e7f569d9abeb269344

Download Submit
\??\pipe\LOCAL\crashpad_3632_BBIILWVTOXNDTXRB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2568-203-0x0000000000A40000-0x0000000000B09000-memory.dmp

Filesize
804KB

Download
memory/2568-238-0x0000000000A40000-0x0000000000B09000-memory.dmp

Filesize
804KB

Download
memory/2592-226-0x0000000000A40000-0x0000000000B09000-memory.dmp

Filesize
804KB

Download
memory/2592-228-0x0000000000A40000-0x0000000000B09000-memory.dmp

Filesize
804KB

Download