stormkitty | hxxps://github[.]com/rombus-PREMIUM/rombus-9-grabber/blob/main/rombus-9-grabber[.]exe

Analysis

max time kernel
78s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/rombus-PREMIUM/rombus-9-grabber/blob/main/rombus-9-grabber.exe

Score

10^/10

stormkitty discovery persistence stealer

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0009000000023c64-169.dat	disable_win_def
behavioral1/memory/840-220-0x0000000000360000-0x000000000037A000-memory.dmp	disable_win_def

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c64-169.dat	family_stormkitty
behavioral1/memory/840-220-0x0000000000360000-0x000000000037A000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
840	rombus-9-grabber.exe
3624	rombus-9-grabber.exe
5004	rombus-9-grabber.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe"	rombus-9-grabber.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	checkip.dyndns.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 170386.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\NVIDIA Local Drivers\DriversUpdateProcess_x64.exe\:SmartScreen:$DATA	rombus-9-grabber.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
4088	msedge.exe
4088	msedge.exe
1328	identity_helper.exe
1328	identity_helper.exe
1232	msedge.exe
1232	msedge.exe
840	rombus-9-grabber.exe
840	rombus-9-grabber.exe
840	rombus-9-grabber.exe
3624	rombus-9-grabber.exe
3624	rombus-9-grabber.exe
3624	rombus-9-grabber.exe
5004	rombus-9-grabber.exe
5004	rombus-9-grabber.exe
5004	rombus-9-grabber.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	rombus-9-grabber.exe
Token: SeDebugPrivilege	3624	rombus-9-grabber.exe
Token: SeDebugPrivilege	5004	rombus-9-grabber.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3044	4088	msedge.exe	81
PID 4088 wrote to memory of 3044	4088	msedge.exe	81
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 2972	4088	msedge.exe	82
PID 4088 wrote to memory of 3112	4088	msedge.exe	83
PID 4088 wrote to memory of 3112	4088	msedge.exe	83
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84
PID 4088 wrote to memory of 3120	4088	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/rombus-PREMIUM/rombus-9-grabber/blob/main/rombus-9-grabber.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5c5846f8,0x7ffe5c584708,0x7ffe5c584718
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,427297007996740744,14619768128954921627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Users\Admin\Downloads\rombus-9-grabber.exe
  "C:\Users\Admin\Downloads\rombus-9-grabber.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Users\Admin\Downloads\rombus-9-grabber.exe
  "C:\Users\Admin\Downloads\rombus-9-grabber.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2372

C:\Users\Admin\Downloads\rombus-9-grabber.exe
"C:\Users\Admin\Downloads\rombus-9-grabber.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1288ff7597b10f7ed4c22c6f7f715dca

SHA1
d5ea66bb91c5df80680a655ad4c32915626f6a30

SHA256
445cf1b75822704bdece3757bc63f532bf18ac964e2c9b5f2a9c29940a7fd5c7

SHA512
496d35c15bcbd6c13e01f77f6eae5747f9247e5080b88c82eccea9ae43c9c71d2025c75f711226042299735d8dda8cbf552f4044f1552ff66678fd0fcf96eba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06077f72b386289c237e169dd113fc79

SHA1
5358bcefd22ba6f3f32687dfad5da3539e454802

SHA256
d4bd4fc4118a3691e5826adaa76b069c780fa813e5c3ed71214ce2fa3fe56261

SHA512
7b08dd2e134d0881dc1f80fc8442aa75d44ff8ee892686a80bdbcebf81c89c9b60756899df40c1c245ebf4cdc45e4e0f4d8f40a1a23353cdc911061879c15a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a1c7b76e3fc99ccf4ca649ca005132e9

SHA1
6450e447780268fcf12a4cbbd02c87272ce85bee

SHA256
4173d73a697ba68ce0937983b46c5eb038d5bbccb15bd3804a67b82538f52eb8

SHA512
822110d98c6b59240a22581659c418f00b387b412bd567731d5e5464e2684a7ea2ddeb4f27b2d2f20ad870f36c171bd1626535916e99dc4ed6bd0cca03f2d602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afa2ead3a885b880e505d209bdc7b57d

SHA1
9e6db3d4ea5ad7d65ae2f6a00d65d420eb7b1d6e

SHA256
07bf4aa533d25c34195ebbb84d5b6fe17391ddbe6b2c9e1dd7011171bf269bfd

SHA512
658147ba527cde18e7d3f1c7926bacaa974de9a3ab1031ef9f22a403bacaf22735cb93fd037e17a2b51e0d7aaf3d811c4c8821be9b117dd7b4c0061de265a069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d224fcc4b5ecfbafab53f19acb177f2d

SHA1
96c2a3e9dc994bc5e9166c1ee95e2fc34641f31f

SHA256
0cd1448fc929b717ee0a526133502ef55795dd6565923ec081f92460afe147d6

SHA512
17f81299b4b309591f35bfc4ba7fc763bf66238a93d46bae8069c1d53a205668daa8886e2fe0680507b35eee2f1b2c3f1269a408e95deba6ebb275efa24acc09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bbd9f.TMP

Filesize
1KB

MD5
3830d3447fc2fb56e1b5c2dcac1ee6d3

SHA1
8b4ea881fd7792bb9cadb59f0436db2b644de96b

SHA256
f831a1933245716d4c8b29750e487306672caa4d3b58072ec984722f8086ca87

SHA512
8101ad6c55497e0687b247a5fd0facbe5efb27791429ae423856ca9b752bdcd92d85226a269cacb77382ca6cd2e7a13d6bc6f88f2c3fb1cd456d9db55dfcc6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5a5bdec77e0b2c3bba9651a73aa80e33

SHA1
204700d84da2a29bc99dc6e08a80c6655143ed95

SHA256
34f9715a3722f2818448c680b7c478b3e1873b752ce65ae041d33d368bde0c41

SHA512
9243d56f4ca3487a38edf91971b9b0e123e22bb298a51b5e3d5eba82d33e6dc5873b388c04fa3ad649607970f11474da3a61e5386e48944b0d3a0ca332a6121c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7f82aac91628b4b450ddcc3fdf366e5

SHA1
98d0c434fd6d14e226c25e4386a8e5247970c0cf

SHA256
787290dbfc6892e82ca7e28e63ed842a00a8dc73c932f0f9bb18098c6afc2d85

SHA512
9ab9a0bbbe06618c2aa70b82cb0fde3b119ec52303542281da9fdaaebad3999e4d9d7367ba9efee0758be4f91fc7841075a1c5d586cffc78e75df870a1cbf9d3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 170386.crdownload

Filesize
82KB

MD5
a1a974c17251c93f66d102d1d0106af1

SHA1
bd545e18a5f9f44bfe1113b612bf231baa5ad4ec

SHA256
0e84dcca5effe9e6da099694e1455b2e42437c598fec6a1838b763c7a4d812ba

SHA512
00ad93244bb8c43758a1f253551c11b2c4142ef6d76fc4c31bced41ebe1d2e236615f1acfdf98df6e6d4e1cc6b48bc2611bc6df048f793fc59133cce45594e48

Download Submit
memory/840-220-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download