hxxps://drive[.]google[.]com/file/d/1gCFO4RPEsD-k8azxqs944tlSpeTdRECV/view

Analysis

max time kernel
112s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-08-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1gCFO4RPEsD-k8azxqs944tlSpeTdRECV/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	DDLC.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NIGHT-RAIN-1.0.6.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
3800	msedge.exe
3800	msedge.exe
5064	identity_helper.exe
5064	identity_helper.exe
3440	msedge.exe
3440	msedge.exe
1436	msedge.exe
1436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 3104	3800	msedge.exe	82
PID 3800 wrote to memory of 3104	3800	msedge.exe	82
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 4932	3800	msedge.exe	83
PID 3800 wrote to memory of 2356	3800	msedge.exe	84
PID 3800 wrote to memory of 2356	3800	msedge.exe	84
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85
PID 3800 wrote to memory of 1892	3800	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1gCFO4RPEsD-k8azxqs944tlSpeTdRECV/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d6893cb8,0x7ff9d6893cc8,0x7ff9d6893cd8
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18104926240742472413,15768874484912969969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2832

C:\Users\Admin\Downloads\NIGHT-RAIN-1.0.6\DDLC.exe
"C:\Users\Admin\Downloads\NIGHT-RAIN-1.0.6\DDLC.exe"
1⤵
- Modifies registry class
PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:4448
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\NIGHT-RAIN-1.0.6\traceback.txt
  2⤵
  PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\NIGHT-RAIN-1.0.6\README.html
1⤵
PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d6893cb8,0x7ff9d6893cc8,0x7ff9d6893cd8
  2⤵
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
6e5121542220972677ffdbc5d4c99dff

SHA1
05f7ab7d2ed623cafa734f25e85da66c6d4caeb8

SHA256
36000aae4b3fbec5cc64f64cfa5ed2e906accdfa7a5ee7ca4732971d149e67a9

SHA512
aa2792909b3e00e40f8a00bcb560ac22785440b3a2aadc0db45741a82667b2ea9f514357acb2d6d465ce51772e19bd703c0386e9e529990f9ad857b45fff4a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f7911b430f51794953644ccb43b3a5f2

SHA1
20f10f6c64ed4a8aefed85a12205819f3aa97ae3

SHA256
6235fb686ab305f788667e4799d0d4dcf78e9183e74a6d05243865ace1474b43

SHA512
70f4e97ddf6206d6ee1b5f0d1174b3220d03994d094f7b63ed55500d4ec17d4b2f07eff92bbb9be0a20cbc798e68cdaaf6bb60038d4ad807f800a8ed3fcb5ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7b593ce6a1dda6ff160be071f5036528

SHA1
dd395d726b1c34a81f33e27a309900055acc34eb

SHA256
b8182b4c91c958c186272f923532f954d86ad83c7c7b5bd4c05b9356fc3b3672

SHA512
f0ba20695661ae2c2f084b054d05580313f86b535e956cee7c1b9b937a9b088a99ee612cffd6da2fe739cc99886ec40bbc15e642715ff4124a406c4213c0623e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e7da13e859bbfa38388900f16a29681

SHA1
c465553ffaec64ae7562c05213a2634166f4aaf1

SHA256
1c5d849ade50a81a3b1777977d609d10573acc5795a20f3984cc3c135fca17c8

SHA512
2d9858f4d93302aa31a674934b9c967cc0860496fee404c66f8e3f52b3952c58e015925d71169dd2b5b954ddf03d4a47a7033a8e53cb08cc85ad4167eff4c62e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dee6d523ff5f3452a8360b6cb56323d6

SHA1
5deec70351a7879442ad0635ae2e803703aa6079

SHA256
38e08d8190a5cf0bcf16b54cc019c90054f8d962f62cbe6d14a1f5276e08829d

SHA512
88b59ab76e4bbc0b6ed8b5646716aa7670bf181f880118864d9a6ce765ff87f970ec03dc72991660a48afbc7ca65aee9aac338ec348541c454dbfc804b2830e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
17366fefdd3846e1fcaa6658fc3e4e07

SHA1
37def86b86d21238ef8aa7fce3e27b10b3ca7a68

SHA256
f5bae58d0e066dea133b14cb5514fd721d0dcae29a359765895ba2845a815255

SHA512
2923764f0691318af35f8532e81ae3628dd6601e363f553ebec77e7d67946626dd60de0ff655887913bbc4b245611ffc4d15791ad565f3067fe4b9dc345e67e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98651a656f8a8c82db0e866a32aae703

SHA1
c864d6ae4372d6f1b6bfb580fcf2a4e4a7f65d25

SHA256
0470ff07ead492852e1618ab9cccdf8b51f2e7595235bb3cec6c9836c5e29891

SHA512
619b7873691546271f474a6c4cacf47ff4057708879ed9a6524862375f38234502384ec53664d29654ad5e62f72371cabfb73bb2d7e5294afef6f02bf08479f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d4e1363bb930c38bd96d083fe41543f

SHA1
de21299fb4c594214aeab5d2f4bc268907577bc5

SHA256
58a39b660d494ae4a03cc5693ed652403abd5e33c5976b3c2310426ea0a38028

SHA512
2449887ab5acf7c1257ad55789c060bfa7a063e3609529d5c378ba8559c267e2b4f0057036ebcede5873f8f21edda7c1a7ca43aa09a47a155bb8cd6e0564faba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba8c396b3785d952e7f74f8b63b64d17

SHA1
5aa1cd03a64bf05aa05305bf26b624951e6afed6

SHA256
01d7416156e1d047a80e427bf9b8f638082e62373643c25b5001bc723e01b0da

SHA512
45d2acb950ffd808720c05f735d92755c78797e9c58f883a84278ecd2478c3ea459402beea50cb746c4cab92d04bd98d5580367963bc61864aa318e23dab5006

Download Submit
C:\Users\Admin\Downloads\NIGHT-RAIN-1.0.6.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\NIGHT-RAIN-1.0.6\traceback.txt

Filesize
1KB

MD5
abd95aed23985a2359572a426bfe8b56

SHA1
882ab9c9275af8eb3faf396ec77e3df50f0c5cfb

SHA256
4e0340c1dd563ffd3f45268f9999f615c1561a38fc4e3475a42361ca91812064

SHA512
af0f0ff1b4f4cca94b66c84f6c7dea286eb2f2c3f310565297b727372b97f70f7085be79f18f4d6343eb24c6b514581b64be2275a9dfc77c474a26950e01cac8

Download Submit
memory/4380-479-0x0000000140000000-0x0000000140033000-memory.dmp

Filesize
204KB

Download
memory/4380-481-0x00007FF9CB610000-0x00007FF9CBE33000-memory.dmp

Filesize
8.1MB

Download
memory/4380-480-0x00007FF9CBE40000-0x00007FF9CCFC7000-memory.dmp

Filesize
17.5MB

Download