Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gofile.io/d/...

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://gofile.io/d/8LIBy0

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI3NDA2MDk5NjEyMTcyMzAzMA.GU7_bO.PQQWKKCz2jDyxsje_hCfYCqcJYeKTnPTcs2E8I

  • server_id

    1274060797798252645

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Executes dropped EXE 19 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/8LIBy0
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83fde46f8,0x7ff83fde4708,0x7ff83fde4718
      2⤵
        PID:1884
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
        2⤵
          PID:3652
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3732
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
          2⤵
            PID:1060
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
            2⤵
              PID:1052
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              2⤵
                PID:4204
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
                2⤵
                  PID:4348
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
                  2⤵
                    PID:1424
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2432
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
                    2⤵
                      PID:4472
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
                      2⤵
                        PID:4052
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
                        2⤵
                          PID:2256
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
                          2⤵
                            PID:3120
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                            2⤵
                              PID:5192
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4800 /prefetch:8
                              2⤵
                                PID:5344
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
                                2⤵
                                  PID:5352
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
                                  2⤵
                                    PID:5448
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1184
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5616
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5864
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5944
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2004
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5296
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4556
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4132
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5492
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5604
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5168
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2060
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4344
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5560
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3584
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1476
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1084
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2036
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4416
                                  • C:\Users\Admin\Downloads\celestic.exe
                                    "C:\Users\Admin\Downloads\celestic.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3008
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,3573329652136002486,15369724192353209776,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1352 /prefetch:2
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:6300
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:824
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2356

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      f9664c896e19205022c094d725f820b6

                                      SHA1

                                      f8f1baf648df755ba64b412d512446baf88c0184

                                      SHA256

                                      7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

                                      SHA512

                                      3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      847d47008dbea51cb1732d54861ba9c9

                                      SHA1

                                      f2099242027dccb88d6f05760b57f7c89d926c0d

                                      SHA256

                                      10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

                                      SHA512

                                      bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                      Filesize

                                      288B

                                      MD5

                                      bfcbce20d5628b540e7cb316bcbb0da4

                                      SHA1

                                      af698da4658ebbc33591d216a929e9d34e447ffd

                                      SHA256

                                      83ca7de379f9fe7c1218979ef891811ca7ee34e47b961c7c5671c1d20e23923d

                                      SHA512

                                      bf571772b5558d0fefad36863609667418e60a48ab67d3f0eb605c5a2c43a7a887bc97fd44e4cc860925b3a2b0860810c05aa79fdf0b9276a3afc0156f2860cb

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                      Filesize

                                      391B

                                      MD5

                                      f1ab88c524f4ee3d316bc9aa4dbdca4a

                                      SHA1

                                      19764c97ae5ba829a1833fc8975d2164c542967e

                                      SHA256

                                      0db3634b2312ba23668c3f2cd2209a8eff597ece3e49969da0ce9c3acfcc579c

                                      SHA512

                                      92fbbadc6e401e63a309e6f9a0968f064e8c45d889413631d65e1531ec8a139a1b712148dbec02d1ac28181471c19f76c436057eb4bc3c9bc38f3c219fcc53cf

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      95e189ed3914b96d2f38e5451010c429

                                      SHA1

                                      96b53f4092b5379e49714306017d808d785abb0c

                                      SHA256

                                      867d0b613361da8e18edcbb16df53de3e6829451829de73ffb81a9808a1c257b

                                      SHA512

                                      6dae228b2bad44d6d5ffdffec2b360722b2f58cfd596ec7c70db7d5e0e2e7d6cb6519c561c71cd62f42a7aee59ff7d26b6e3dfaee57a83e37b170807f3eebf24

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      51340aba93ebe2ff4db7d96efe2f5e40

                                      SHA1

                                      8f9f3254065f49a4c167dc99ec1eaf75bb889542

                                      SHA256

                                      0de3d500349e7f8835f2c1e212deb49d311b28c35fbab5cf604a3057d43505f6

                                      SHA512

                                      c910a9de1eb44e7c86edd907fa3f5122f30bc487b37e2e8ecdb30eeedfa2c5778e5fcbb7137b306b89ac589dada412895850202fcd0d5934ad5cc5327499621b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      11KB

                                      MD5

                                      372cfa49761803af3e1ddd531ccf5aa6

                                      SHA1

                                      fad7cd2632a42216335495afb6903a6b8941bdf6

                                      SHA256

                                      53792e1c9fe7cee2968e1027dc5c0c4a5ae45a6ab1c32cb804768325185691d1

                                      SHA512

                                      0360aa6f6afbcb120d4b45d56ef0d1bc1df2da7709e2462c6472bd5286d97e265c40da93db3efa10024694338a85a008d93e6474fdd0ad392d36e710ce4645c9

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      12KB

                                      MD5

                                      28f5238f5a8fcba2f8ccd277fd642e8e

                                      SHA1

                                      27b7698582b298d4a4144d7fc34a0c54b6addf48

                                      SHA256

                                      e73a693bf60b4d1f4bf56f6f31353d2810eaf8821b3ecc688578b6d68951c8aa

                                      SHA512

                                      9ea4bd0abf95a42a82ae0d2301a5c5cd02378c0e82077c721a913c148351c1eef83df39bf11e3af093e4f82c31777b804acb3d6b20bd569989648ee05fc1f5d6

                                      Download Submit

                                    • C:\Users\Admin\Downloads\Unconfirmed 606192.crdownload
                                      Filesize

                                      78KB

                                      MD5

                                      038faf7b553b5f29ebfa1c000ae225b8

                                      SHA1

                                      de8dd46c92b81dc6e00d61e72612ba81e73a431e

                                      SHA256

                                      ab89b88da095ccb90bfef2ca1bba709a28bdceceffc41241e21b8fc24ec68ef8

                                      SHA512

                                      9c088f152fcf24993830e7696540afd2d50a6540a44f0d8584a5066a984b0e4f32bd0e60cfabadb9696ad048a5fc82616563639ab4bd7d75e75c606f394cca14

                                      Download Submit

                                    • memory/5616-172-0x0000022A77180000-0x0000022A77198000-memory.dmp

                                      Filesize

                                      96KB

                                      Download

                                    • memory/5616-173-0x0000022A79840000-0x0000022A79A02000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/5616-174-0x0000022A7A140000-0x0000022A7A668000-memory.dmp

                                      Filesize

                                      5.2MB

                                      Download