Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    55s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2025, 00:28

General

  • Target

    https://mega.nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMzNDk5NzU4NzQyNTc1OTMxMg.GrjXH0.mx9kESWrekuu3qPcINeGceXbQuhLEJ0XCQjipM

  • server_id

    1334998315099754599

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Executes dropped EXE 27 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac38746f8,0x7ffac3874708,0x7ffac3874718
      2⤵
        PID:1680
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        2⤵
          PID:5020
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4532
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
          2⤵
            PID:1152
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
            2⤵
              PID:3692
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
              2⤵
                PID:1844
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
                2⤵
                  PID:4844
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:396
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                  2⤵
                    PID:1740
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5732 /prefetch:8
                    2⤵
                      PID:3540
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5872 /prefetch:8
                      2⤵
                        PID:3332
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
                        2⤵
                          PID:540
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6500 /prefetch:8
                          2⤵
                            PID:4756
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2056
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3172
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4852
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1452
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5328
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5436
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5520
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5608
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5724
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5808
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5908
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6000
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6100
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5140
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6156
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6280
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6392
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6496
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6696
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6772
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6856
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6944
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:7036
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:7128
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6328
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5732
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2140
                          • C:\Users\Admin\Downloads\1v1.hack.exe.exe
                            "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6632
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2044
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2428
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0x314 0x30c
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:844

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              9bfb45e464f029b27cd825568bc06765

                              SHA1

                              a4962b4fd45004732f071e16977522709ab0ce60

                              SHA256

                              ceb8f1b0aaa1ba575c3704e73fd77edf932d68c8be902b33f1ba3b1d130cd139

                              SHA512

                              f87cce8bb5489b56027f5a285b948b639a1c7b0f213a111f057235177e5bffc537627c82586736704e398a0185cf2ad8ba8cdee788531fb753a2d08f16e906c7

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              ae2a8f2ebc841509f7b978edf590d3cd

                              SHA1

                              91358152e27c0165334913228005540756c35bd3

                              SHA256

                              631550765e3db02be0709748c0634a2cfdab711cea94f5890854d0c1dfbcb214

                              SHA512

                              e52180dd175f1e6ff72d76400085869387cd70da33919de219a04dc26871e8421e93b22e7c59125c19c6ee54a8a8f742d796ac68ea9077c9dab5f03b80967d11

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

                              Filesize

                              21KB

                              MD5

                              b1dfa46eee24480e9211c9ef246bbb93

                              SHA1

                              80437c519fac962873a5768f958c1c350766da15

                              SHA256

                              fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

                              SHA512

                              44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              72B

                              MD5

                              911fc312873df4f67c181672777ba11c

                              SHA1

                              f3958ca3efc776b864fbdf2b8b74c8380292a51f

                              SHA256

                              5072b873f211f874414ed20f06ac4f6958e6acc60df1fdda6997e39643c76c72

                              SHA512

                              1204db5fd6fb5fab1031d1464f66778b2321003c712b41973fe04d89d16749e8a875073767285334f8539795cc422428bf759d6dd42a9e217ee94de571868740

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

                              Filesize

                              41B

                              MD5

                              5af87dfd673ba2115e2fcf5cfdb727ab

                              SHA1

                              d5b5bbf396dc291274584ef71f444f420b6056f1

                              SHA256

                              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                              SHA512

                              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              257B

                              MD5

                              cb2c370608ed5735aec0094cbed1ddbb

                              SHA1

                              8b9da953294d7078e9636c4a122d4c98651bfc17

                              SHA256

                              01fc00c66b187f3bcf3aa0ab676274ae4629fe537f3e0a50c9c1528e0849d5b6

                              SHA512

                              87fc267886df91e9602f890fc931ed971f6892106bcc67774c5869f124755389f6016945d099a9966c08a93a1c1110f5d93242efff93a55de02cde39854ac9cf

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              23298cd8a179a25e9eebc31f6185270b

                              SHA1

                              8cb16614aae8ae784acae64177b9849eb044c8a0

                              SHA256

                              814d4ceb31810445bb40d31ae8c3afa3b5471040461353e583f5d2a2fb167fd1

                              SHA512

                              8fb5c60287e0c210944f7ecd08e8ec89e4563b46d14239b32edae9c266e410f3a99b0fe9f107928fedf1e6ce110a7b051f6fa87c856b3ca9445c1097cd43a19b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              99b3e01965d77e3121405d5561334329

                              SHA1

                              6e59c2fb0a9ef5f5c916d1cc98f7ffba0a91b944

                              SHA256

                              0d04a9d9fe33731b817e51956c838c864ddf715cca26631d49df7233a6aaf00f

                              SHA512

                              12783ccbda715e78e0cba3b13122821145a6da2b674073e153c8903ee5c4a6a275a3aee2b1608af07a9899cd6beaf97d51aa936908c2886d310b640d3e67a77e

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              dea71a8ce9684c72b2bd15f808b0004a

                              SHA1

                              6c65ab666ce538a3bcc139a3e9620089a05b91a9

                              SHA256

                              0d77946527e07e129548197bbddb9afa8a50d3b7278d09adad36294070ae31fd

                              SHA512

                              4291e90c7031ccfeefb806f4955b2620a5eee1d864b2c53deb4db4e8b499e485ca050fd2c93acfdb9e3f26912610977d32af9b44d70039e73be39d5ecdbe49a0

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              7KB

                              MD5

                              ed5af2b0893330b8e6f0f5cfa91458c6

                              SHA1

                              d6340aaeebd68fb842925abf041ece78877adeb9

                              SHA256

                              81fbc26ce9d048eae6bd50b77f47c866d47ae521c0d86e68e17c6888b7d24878

                              SHA512

                              81c9eec1cfaa2e9511aab4ae23a57cab954df3ce621b880eb5507561ca6a18c4372d82ddb9f43887608818730b356d5bddf6ba958d18d7c5a5468160851d1789

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                              Filesize

                              72B

                              MD5

                              9f6cb4a382e9bbc148298b2b1f63f6f3

                              SHA1

                              df7013285572c6ff4aabfb79a4f7e23b62e5a692

                              SHA256

                              9b0d2e0c682befff19f0571bcbeb0dabe3916d6136882f0812e6351d5f8e0fc0

                              SHA512

                              97976828744206060ed55237b80ff600c7f1cc626d757effb3bc7e747dc16734e78ca8db5ed02574efd966b0ba3e9026273b8c61a742a33aa326cd7f144bc2ac

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f08a.TMP

                              Filesize

                              48B

                              MD5

                              38f6d44415696c695670bd32a4d44386

                              SHA1

                              c56e5c8b3163edea11393b3dff240b37265fc186

                              SHA256

                              824c24d368dcfaeb331bf9a25a39f3d3d8f371ac7166d418d7d6619dddaa2add

                              SHA512

                              05e2f8cda0cce3e107bba8b045e4a46b367eed97fd021e694b44a01a4fe29fa504dd9bd129c0d22d4fdd5cf4a0fdb30b9983aa4c34725eb20b0b8ddabb721d35

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              035d2ee547d3946f94d4ebc7ffd43bb5

                              SHA1

                              f6278194593318fdf81ceff4dcd342eabc32f9c6

                              SHA256

                              7cd09cb403e1de90e2d660624431e1b4da34edecf96b6ee96618879a86358aae

                              SHA512

                              3335c85e0ec9b6a5fb4a64fd2f5d47c811cc5a003e86f06aa0cde6fc04ed9daa35bef706f16d6aca21d8267c8e928123602df758c93bc1327d6d8185f104cbb3

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              081b093a31adb995d7bfc6322500e7e4

                              SHA1

                              6982fdb1d220a4e6b3a981d8ab236bb60b116e20

                              SHA256

                              70ce13fcd10251686a46eb02cfc01463eb6ae91739055c681ccd892436f10bec

                              SHA512

                              2b6c6b7a610e996ea4f81dd6527f78f7ed4d9fa4fcb4e9c5143bd1571bdf0eab80b341ac4d204ae4fc372dfa2b2a32fe2e5f9ab846fb31d5146bea5ea750423d

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              3dd23bdb02147b5fecc93d698a53a61b

                              SHA1

                              43ec4bfc0b60847744986812ed39d4700a9109c1

                              SHA256

                              15663f50a171d6c48b9f9d2657c63c7118167be2fb8be65bd4cdb675e28bdb8f

                              SHA512

                              90d3f1a67ff2c14107699f1b478a1da1dfd2950c69c62849505325d7d1e2da20e3697f6538947991b2551f04b856d2f475278c465b3f4958d2fc933bf96867b9

                            • C:\Users\Admin\Downloads\1v1.hack.exe.exe

                              Filesize

                              78KB

                              MD5

                              55285c492ce47533e64e80ec267e16fb

                              SHA1

                              02a6efa4787bd3660df4598edfb637659a8d5343

                              SHA256

                              49cb42e5f881591cd6252da0709c0eb1e2d7c6d581ddf78b6f9bc6554fe4d7e3

                              SHA512

                              63c7485d091fb3ecab3e80201b9a0c4e5be45127480c9fe2bd3399596656f57479c6a5bc1c296d1b76b9a459f5a94257c5668758b6c54dd85cbf3fadb1e208d0

                            • memory/3172-227-0x000002C0ACB70000-0x000002C0AD098000-memory.dmp

                              Filesize

                              5.2MB

                            • memory/3172-226-0x000002C0AB6F0000-0x000002C0AB8B2000-memory.dmp

                              Filesize

                              1.8MB

                            • memory/3172-225-0x000002C091090000-0x000002C0910A8000-memory.dmp

                              Filesize

                              96KB