Analysis

  • max time kernel
    139s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 22:09

General

  • Target

    https://github.com/alphaiscool1/discord-rat-2.0

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/alphaiscool1/discord-rat-2.0
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7e2546f8,0x7ffd7e254708,0x7ffd7e254718
      2⤵
        PID:1140
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
        2⤵
          PID:928
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:968
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
          2⤵
            PID:4908
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
            2⤵
              PID:3800
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
              2⤵
                PID:3332
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
                2⤵
                  PID:208
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4400
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
                  2⤵
                    PID:2236
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                    2⤵
                      PID:1832
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                      2⤵
                        PID:4808
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                        2⤵
                          PID:1412
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5512 /prefetch:8
                          2⤵
                            PID:764
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
                            2⤵
                              PID:1648
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6176 /prefetch:8
                              2⤵
                                PID:1624
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
                                2⤵
                                  PID:1072
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5980 /prefetch:8
                                  2⤵
                                    PID:3852
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1764
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:2
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5044
                                  • C:\Users\Admin\Downloads\Discord rat.exe
                                    "C:\Users\Admin\Downloads\Discord rat.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2112
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,4456402196285087050,526574379759348126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:404
                                  • C:\Users\Admin\Downloads\builder.exe
                                    "C:\Users\Admin\Downloads\builder.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1248
                                  • C:\Users\Admin\Downloads\builder.exe
                                    "C:\Users\Admin\Downloads\builder.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2272
                                  • C:\Users\Admin\Downloads\Discord rat.exe
                                    "C:\Users\Admin\Downloads\Discord rat.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3080
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3708
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:828

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      c9c4c494f8fba32d95ba2125f00586a3

                                      SHA1

                                      8a600205528aef7953144f1cf6f7a5115e3611de

                                      SHA256

                                      a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

                                      SHA512

                                      9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      4dc6fc5e708279a3310fe55d9c44743d

                                      SHA1

                                      a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

                                      SHA256

                                      a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

                                      SHA512

                                      5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      1KB

                                      MD5

                                      b9a6d28fffd8a2a7af6087cba5f23b56

                                      SHA1

                                      2ef3909ac69d7dc113595c0a85594c53694a5145

                                      SHA256

                                      4eed0d26917135f7a62517dd5b979dd653ba8e5c2667448d263f606cf39a2584

                                      SHA512

                                      e28d4de670e146601773de8674e0e64a6c1ff6338e35bbaafdd58078bd0ffc9346a9c513e16125f69e16a553091a7e3bab0d87df1f8fa385dfbc0d86a2e7a99a

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      2KB

                                      MD5

                                      a35e3a7363bc15c87c05f6f99ef5a334

                                      SHA1

                                      8a722e89ef301bc31b1c6118ea90bb8b378abb56

                                      SHA256

                                      77892d3f3150651236b88a4a163df6087288c15cdd92c81d97ba22f26c468a04

                                      SHA512

                                      f6732b4132e5849977179e17d70557f94991e0f5763fa56e16dac4e2783470b5563a5aa6a16bbc5cf39d256afae2a86c30a665939d241c66292cadf1272cf0be

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      496B

                                      MD5

                                      c0a9af3f6a9d99ebdd6d35e1526a4794

                                      SHA1

                                      1ac9e6ee1401facbe78dfdd523d4a697956d6a77

                                      SHA256

                                      078a5ee0e3e99e5811e7743bdc0b7eed5d859d359ed8dee6fc55846cdbd19ec6

                                      SHA512

                                      46818ec0066540b77e0c7f6f8a61f59ab36ee4e5d45559510400597857769e3c90a15c6aa13048f0470dcd6f3ca88844e3adfedc3f776a834e7edaa53391e0ae

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      579B

                                      MD5

                                      9956429ec8f3edb5394e307c24dd9e2a

                                      SHA1

                                      684f6f1345c954eb66f86ff3fb3f6e70a60d605d

                                      SHA256

                                      9d33fee21954dbb22a9de5b1692c8da5971ff00c7108a58867d3429772eb291b

                                      SHA512

                                      7dd3884198046568dc1e835e23d83f226cf44869bad0a7a603755b8fe7ba22f9bc9d30b1d907088ec661d66293ba016a57f55b6703df7dabed3fd5fbea6444fa

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      03895ca14db44e388c44a9bd65ceee6f

                                      SHA1

                                      2c40feeabf89046b95f5c2c8c02854ac5d0d738e

                                      SHA256

                                      b5905a2d1f611c7e5411a0fc2708a4c45408a37527eaf5e48ee446f3a118b5e0

                                      SHA512

                                      3a89d06c8eac2f81cac1fcefb5c370c66596566339b5042deb269d1308c17bfdf423a5e9b2f2251e8f3be1ea88f233a334207fc3fa468402497363f8538420bf

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      7cfc2c2cf563c152015247031f15efc2

                                      SHA1

                                      d7daf3b477c9f6ffcdbf6cb0defd02ac2b67f3cb

                                      SHA256

                                      0f3c4bed9162c3540e789e73de62249c8eaf0da9c52c0ee51bc07a9a7dfc69e2

                                      SHA512

                                      ae0d3f3cdb7c6e4f7846f0eb06096740e86476ee63e071c8cd54a629fa67b7680f11f1e70887290b8c250ece707951fbb9fe1b41fb448ebadea333bb80b4ad72

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      7KB

                                      MD5

                                      5cfd4d692d59073152262f22fdc625a8

                                      SHA1

                                      c2607f394751c24649f45ff3f4ade9f7a62ff110

                                      SHA256

                                      8d2ffa2d91fadc250810899a3086c6b28e293ce4ec76479e13b4dc5cce8bf015

                                      SHA512

                                      a8c61969d504d01779b41d9792291a81ea5d5ecb19a46296aff23b9187d4d0ab6b03b527f4fe78f23f6d3ff4580453d55f6dafd8b9bb4ec5988b3ae35bcbf4b7

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                      Filesize

                                      1KB

                                      MD5

                                      ae6c4e86422a80b8ad4258251a9a1d54

                                      SHA1

                                      1aa05643865290ddee52afcc8ef751ddc99408dc

                                      SHA256

                                      f67ccfd16927c9b0649d4f2e4705a74ac216bc0c5f6ff8ae2c21fa2fe6ac44de

                                      SHA512

                                      91e95ab6ca2c86c60a421d5626e7bc69e48eb8a961f620f8c0bdc9d2bd616b2b79f23b333a0d3dcfa8a8a36914754e38fd8dffb644529f7ed8f781c19a65bf76

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                      Filesize

                                      1KB

                                      MD5

                                      a1897bfbade2fab92e6ce28fcaf94942

                                      SHA1

                                      2064270a7bcd297d7fe83682420fabc26a72563e

                                      SHA256

                                      362564040fa48925975e4f35b51dcf6c289a39d46260cccb24f49f3d253879d5

                                      SHA512

                                      4f8bbf61d8ed7dd3902862043dd264a02d992b2d7d3eb065850ca8888506df9ff402533cee5ed50d9d0351c58b8133181734b888017194aee0cb560941dd7e99

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5855cc.TMP

                                      Filesize

                                      874B

                                      MD5

                                      ed367d343fd41d081356dfdec1081c1e

                                      SHA1

                                      98afe721aef1d7ab9e8cf23d1e24460f7febcce1

                                      SHA256

                                      20e99467f239a2d7405e29e4c0b86ef3acea16d2ae05e5fd1dbf7e7bab4d5095

                                      SHA512

                                      67d369e33711abf2dca87b15fce57387e596ee216d164d0262a91b46bc3e52fe881190c429c30ee5fde34786cc37341b8b82b835ac338a41c360e8e23d212d13

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      30144238c80692ca3116bc49c6c93d27

                                      SHA1

                                      4811157c3902bd054b6a5c41c7ad99759ce8e681

                                      SHA256

                                      e804cb9676a38298d368cda8fda0a579ddfc48cacb7852f37f22a8b9a8c0462e

                                      SHA512

                                      2dffc9305d43bc840eddb2835d84343e83ff715859f4cf80774be8c7f1b1f49f9770cf12aed79de29e72d762ae7ac434de15e45694e7e007247f8d3c8f38884f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      12KB

                                      MD5

                                      d0e3765b7bb4ea1e441ed8414f93c8d2

                                      SHA1

                                      8b8a457669aa8e0e7fa9a70467191ccdd273cf99

                                      SHA256

                                      3065161c43d8e59fd53e5a300bd8f0fc11cb8d52156e556abeed8c4e41aa56d0

                                      SHA512

                                      51f26fe592405fd1ec526f0100b097c3567d366baf96db34d3ca39aa9d373b96a63995e40a916ffaaaa7c0581734326ea7b34d0ac572bdf5935076336c76cf60

                                    • C:\Users\Admin\Downloads\Unconfirmed 169012.crdownload

                                      Filesize

                                      79KB

                                      MD5

                                      d13905e018eb965ded2e28ba0ab257b5

                                      SHA1

                                      6d7fe69566fddc69b33d698591c9a2c70d834858

                                      SHA256

                                      2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

                                      SHA512

                                      b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

                                    • C:\Users\Admin\Downloads\Unconfirmed 502135.crdownload

                                      Filesize

                                      78KB

                                      MD5

                                      dcb37f1c7755cfc3d0800c514b47c080

                                      SHA1

                                      194af823fafcbc3e4c0a18d86e186799db5956cc

                                      SHA256

                                      ca7ad8c3f3f3f719260fcf5c0aa780eb0ac255566e87c37d52ae8175d6784877

                                      SHA512

                                      acfcb8f0313c4d5ed86afaeaa56262f5e0326a2612becc7787b9a67cac374cfb94fe1581a430cd269e12aec452fcbf9b6a9b7373a9723471ec24ccce20db9d55

                                    • memory/1248-392-0x0000022BC1B30000-0x0000022BC1B48000-memory.dmp

                                      Filesize

                                      96KB

                                    • memory/2112-364-0x00000294918D0000-0x00000294918E8000-memory.dmp

                                      Filesize

                                      96KB

                                    • memory/2112-365-0x00000294ABE90000-0x00000294AC052000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/2112-366-0x00000294AC790000-0x00000294ACCB8000-memory.dmp

                                      Filesize

                                      5.2MB