Overview

overview

10

Static

static

1

URLScan

urlscan

https://pastebin.com...

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-02-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://pastebin.com/raw/G5ChV3cj

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

bc1q698dtm422e6tzu2jna8laaspy0pjz2sdecg8dn

Attributes
  • aes_key

    123345

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/DDTVwwbu

  • delay

    5

  • download_payload

    true

  • install

    true

  • install_name

    Skin Change.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \Skin Change\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/G5ChV3cj

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/raw/G5ChV3cj
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2f8646f8,0x7ffa2f864708,0x7ffa2f864718
      2⤵
        PID:2452
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3952
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        2⤵
          PID:816
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
          2⤵
            PID:4040
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
            2⤵
              PID:1912
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
              2⤵
                PID:3308
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
                2⤵
                  PID:2288
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2096
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
                  2⤵
                    PID:2168
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
                    2⤵
                      PID:2948
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:8
                      2⤵
                        PID:3736
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
                        2⤵
                          PID:2920
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:8
                          2⤵
                            PID:916
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:8
                            2⤵
                              PID:2896
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4956
                            • C:\Users\Admin\Downloads\New-Client.exe
                              "C:\Users\Admin\Downloads\New-Client.exe"
                              2⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              PID:676
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Skin Change\Skin Change.exe'"
                                3⤵
                                • Creates scheduled task(s)
                                PID:3920
                              • C:\Users\Admin\AppData\Roaming\Skin Change\Skin Change.exe
                                "C:\Users\Admin\AppData\Roaming\Skin Change\Skin Change.exe"
                                3⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:780
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
                              2⤵
                                PID:2316
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
                                2⤵
                                  PID:396
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
                                  2⤵
                                    PID:3288
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
                                    2⤵
                                      PID:4732
                                    • C:\Users\Admin\Downloads\New-Client.exe
                                      "C:\Users\Admin\Downloads\New-Client.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:1908
                                    • C:\Users\Admin\Downloads\New-Client.exe
                                      "C:\Users\Admin\Downloads\New-Client.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:2744
                                    • C:\Users\Admin\Downloads\New-Client.exe
                                      "C:\Users\Admin\Downloads\New-Client.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:2276
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7542431552992705051,4416294394579737730,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4964 /prefetch:2
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:320
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3488
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:4488
                                      • C:\Windows\system32\AUDIODG.EXE
                                        C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1632
                                      • C:\Windows\System32\rundll32.exe
                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                        1⤵
                                          PID:1160
                                        • C:\Users\Admin\Downloads\New-Client.exe
                                          "C:\Users\Admin\Downloads\New-Client.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          PID:3420

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New-Client.exe.log
                                          Filesize

                                          709B

                                          MD5

                                          8a1197be130e48aa5aeeafd43eb6bb9f

                                          SHA1

                                          cb790c7c216e41524348eaa0e5b74926e78dbfc6

                                          SHA256

                                          547474087ec8f71dfd32b76f9b74c86f9844addf5082df37562a2c2c0cae4bfb

                                          SHA512

                                          4ad9d8dbbc253c8d7b1c2b4ec5f115c770f02bdbbc21ca0b422e251a3a98331e169c5062cabf7da81d5ae0d295b3778ef105ef82709df1a4ace71be288b8f166

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\632fe162-d3e3-446a-b797-a17c1cabfb4e.tmp
                                          Filesize

                                          11KB

                                          MD5

                                          3217b42390fc112a0bfcb9618668bcca

                                          SHA1

                                          bbd398d82438fc6df27bc1218f093ea265174cd5

                                          SHA256

                                          33b83b807c4b85aed275692e357e5f03a14d2da2701052f692a8a7c60cfaa54d

                                          SHA512

                                          e86a17831937aba87ae541434fc55bb97252c7d649ecf82cd322cd31e5c32425808b42819890ae073cae96009ff96d90199306a6a23954ca3d0b40dfa5209164

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          a65ab4f620efd5ba6c5e3cba8713e711

                                          SHA1

                                          f79ff4397a980106300bb447ab9cd764af47db08

                                          SHA256

                                          3964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76

                                          SHA512

                                          90330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          854f73d7b3f85bf181d2f2002afd17db

                                          SHA1

                                          53e5e04c78d1b81b5e6c400ce226e6be25e0dea8

                                          SHA256

                                          54c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4

                                          SHA512

                                          de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                          Filesize

                                          72B

                                          MD5

                                          b26a80fe950d017e8d024525ca5c35fc

                                          SHA1

                                          fdf686f0297982af08a5349eeafda9350e3aeb3f

                                          SHA256

                                          4cda4ba6fd14a61d0e3f06759e1d9114692a3d3897bfe97c31dcf8f31ed3864f

                                          SHA512

                                          a0c52f172370bb7bc29aa3dc8d2aa8408f59fe4f309deeb414d7d0b459847fa3c153cc97986713ad0df1b7848fd526d923b4f6cba2a0f95c85c7bb310070da03

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
                                          Filesize

                                          16B

                                          MD5

                                          46295cac801e5d4857d09837238a6394

                                          SHA1

                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                          SHA256

                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                          SHA512

                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                          Filesize

                                          258B

                                          MD5

                                          0764da9c0c74390bab3052a84f6c18ed

                                          SHA1

                                          22ccdcf0c4981bfa3c579e96fc5cbf611485b678

                                          SHA256

                                          8bd34660443eb3ec7374c3df2693dcd8b3f53c98b84b35d8a61ed1e54b5db281

                                          SHA512

                                          f4e194de9cf3f5bfe1ea555a669af76105f0d38607d989a0260a40c39aae1d80ad660dcada97024ecb8508f84476ae58b307a5d49683206b8b3a3f7fdc5dca68

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          529be5d5410d7b2872a91871efae00a4

                                          SHA1

                                          bab69c03c7aeeb225ffe8e80ebbbf635073078fc

                                          SHA256

                                          59c7f382f29d65687d90865741d5147557f3c244de6537bd6828d9a406db0eac

                                          SHA512

                                          ba7245706a1ac6536845d820ac2907dbc551c84112814a670d954ad6245601a13f5405a4508e95adfede08976fce83e18e731f3d593884edcaca113a7675969f

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          47d5685807dac0dd4d685383a17edfb1

                                          SHA1

                                          a24f65a3e3face12c80a9b826b0a6759dd6266da

                                          SHA256

                                          49e4ad3a22e1e201bedba14f2c122844664566b863459b05ededc9a1cda74fff

                                          SHA512

                                          a8e988a912fbe52d9909799a0f96e9b0bdbed8ce7ad0950228a2a48daf09407e67b6decb64684051de1171a402a93bdaddd0f3741fd17408d1de5ec2b3c88ef9

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          3262774776e42087340d567bae324b97

                                          SHA1

                                          b08a8f5cff9e6ad03c9f4aee81291862048bb928

                                          SHA256

                                          e8df7f4c81dfdae1874f0ce770d8a95fab37d29a80978920d400c606ac730fce

                                          SHA512

                                          ad79287ac6488582f69d98f07318fc2046a6e4eaf74e845a86a1ce68d8abc485dde816d521c698ebbe781cf28e0683ce5bd81920d5dc745a645c03204a214768

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
                                          Filesize

                                          41B

                                          MD5

                                          5af87dfd673ba2115e2fcf5cfdb727ab

                                          SHA1

                                          d5b5bbf396dc291274584ef71f444f420b6056f1

                                          SHA256

                                          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                          SHA512

                                          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                          Filesize

                                          72B

                                          MD5

                                          0a7b692304bc01fd4938273b2ebb84a2

                                          SHA1

                                          e6a7e61bb343aa88f4f65fd808529c35ae2d8db1

                                          SHA256

                                          59353aff3cbe934f89786aaed7e4cc1343413d9b549dfe13d13c128465deacc9

                                          SHA512

                                          8eac14c1ed342385a5ba7d435ddc5ece5f2e6e8320ae4add09aa4d85a3915e22efa4f9d890673af49f9f85eb846d374650ff6241b2a4891aef5d1a716c8be568

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b42d.TMP
                                          Filesize

                                          48B

                                          MD5

                                          46c762474840151bf9e6a1d2152b3dc9

                                          SHA1

                                          b37a80abbaa7f778625692e1974af5e157d0f093

                                          SHA256

                                          9c18f9d1591cfa22dc7069325c7cc8852bd226349b97cedb1f212941bb2b659f

                                          SHA512

                                          defd22f8f8e08c22388c13e241dd41f29269ddc931c38f56311c387a1e0243c345f7ec57be26743983f7c0c31f020ce6a6ffa2a12f84b3ac7c004f8b55a823cb

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                          Filesize

                                          11KB

                                          MD5

                                          26a23abeadb2db84c49ef3618b4d8812

                                          SHA1

                                          c6b74ebd85b828f8052e8d746c076c20d6ee1761

                                          SHA256

                                          f92206a4ffc7a8483f3f79a71a9536abfbca7f1a669a83d13d7dbef7cb4c8255

                                          SHA512

                                          eb836b0fb6ff79c65a2887901079873bf185bce5f26aa276818bd9b05a55f00b23aced439e1ddbdb18d297852bf40487d33d757fdd72d0ef4ee824381c8483e1

                                          Download Submit

                                        • C:\Users\Admin\Downloads\New-Client.exe
                                          Filesize

                                          29KB

                                          MD5

                                          b7cca29e0ea7b6efdf8df3e18d9c5068

                                          SHA1

                                          59bde890ed7889c8a66cb879cac019870112b818

                                          SHA256

                                          000793fc7b6ce91fbd45cf06a0141965fa18c969b98d379af0522a073a057956

                                          SHA512

                                          3cd51ea7592c4080a9a544e518b90e8482f4b9c1b74c128f855dbaa49e2b7cf7f5b7b1993850af305d8af7136667b1d44d9311c972152ad10648f73d68d74aa1

                                          Download Submit

                                        • memory/676-165-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/676-167-0x0000000005A70000-0x0000000005B0C000-memory.dmp

                                          Filesize

                                          624KB

                                          Download

                                        • memory/676-192-0x0000000005C20000-0x0000000005C30000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/676-191-0x00000000059D0000-0x0000000005A36000-memory.dmp

                                          Filesize

                                          408KB

                                          Download

                                        • memory/676-166-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

                                          Filesize

                                          48KB

                                          Download

                                        • memory/676-214-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/676-202-0x00000000067A0000-0x0000000006D44000-memory.dmp

                                          Filesize

                                          5.6MB

                                          Download

                                        • memory/780-245-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/780-220-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/780-215-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/780-221-0x0000000006310000-0x00000000063A2000-memory.dmp

                                          Filesize

                                          584KB

                                          Download

                                        • memory/780-242-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/1908-233-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/1908-238-0x0000000005290000-0x00000000052A0000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/1908-246-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/2276-237-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/2276-248-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/2744-244-0x0000000005350000-0x0000000005360000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/2744-247-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/2744-235-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/3420-243-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download

                                        • memory/3420-249-0x0000000005200000-0x0000000005210000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/3420-250-0x0000000074F40000-0x00000000756F0000-memory.dmp

                                          Filesize

                                          7.7MB

                                          Download