Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    111s
  • max time network
    113s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-en
  • resource tags

    arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/02/2025, 10:13

General

  • Target

    Discord rat.exe

  • Size

    79KB

  • MD5

    d13905e018eb965ded2e28ba0ab257b5

  • SHA1

    6d7fe69566fddc69b33d698591c9a2c70d834858

  • SHA256

    2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

  • SHA512

    b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

  • SSDEEP

    1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3824
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5440,i,1394014676065102427,603922297840707476,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:14
    1⤵
      PID:4788
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2160
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTkxQjhCRUMtM0ZENi00QjFGLTlBRjQtODFGQjBDREM3QzNCfSIgdXNlcmlkPSJ7RTcyNjZBNTgtNDc1OC00QURDLUFBODktOEEzRTI4MTlCNzZFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEJFQUVBQjUtN0ZBNi00MjhFLThEMjEtRDJFQjZENjI2NUM3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTAyNyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3NjIxMTgwMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNjgwMzUzNzI5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:1820
      • C:\Windows\SysWOW64\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "992" "1276" "1176" "1280" "0" "0" "0" "0" "0" "0" "0" "0"
        1⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2916
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTkxQjhCRUMtM0ZENi00QjFGLTlBRjQtODFGQjBDREM3QzNCfSIgdXNlcmlkPSJ7RTcyNjZBNTgtNDc1OC00QURDLUFBODktOEEzRTI4MTlCNzZFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyRTUzRTZGNy1DNTA0LTQ4OTctQkE3MC02N0FFNDEzNTRBODh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDU0OSI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNjg5MjYwMDgyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:5048
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTkxQjhCRUMtM0ZENi00QjFGLTlBRjQtODFGQjBDREM3QzNCfSIgdXNlcmlkPSJ7RTcyNjZBNTgtNDc1OC00QURDLUFBODktOEEzRTI4MTlCNzZFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxNDY3MEYwNS1FQkM1LTQyQ0EtQkVBOC00OUJENTE1Mjg4MTh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC40OCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntENTQ1NTQwOC0yQTMxLTQ4NjgtODE1My0zQjRDRDBDMzcxMDZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzIxNTY1MTMxNDYwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMiIgcj0iMiIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezZDQzI2QUE4LUU3OUQtNDAyQS1BOERELTM4OUVBRDM5NEIxNX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjI4IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NDYxMTFDMUMtMDc4Mi00NkI2LUJEQkItQkU2OUVCRTk0MjI4fSIvPjwvYXBwPjwvcmVxdWVzdD4
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:3520
      • C:\Windows\system32\BackgroundTransferHost.exe
        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
        1⤵
          PID:3320
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\StartNew.rar"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1072
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\StartNew.rar
              3⤵
              • Checks processor information in registry
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4124
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 27429 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c28d1092-3526-4114-a3c2-8c73be533855} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" gpu
                4⤵
                  PID:3464
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2280 -prefsLen 28349 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0764791-b9b5-454a-b7df-9dcdbd986eb6} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" socket
                  4⤵
                  • Checks processor information in registry
                  PID:1596
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 2952 -prefsLen 28490 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ed63bae-b719-41da-8e37-8bf5855ec212} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
                  4⤵
                    PID:3532
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 2 -isForBrowser -prefsHandle 3076 -prefMapHandle 2752 -prefsLen 32839 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1df3d32-2690-4e78-9329-6330af0df957} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
                    4⤵
                      PID:896
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 32839 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79ce20f7-3c51-4b8b-bb17-39d423be17dd} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" utility
                      4⤵
                      • Checks processor information in registry
                      PID:5780
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 3 -isForBrowser -prefsHandle 5744 -prefMapHandle 5740 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8af254b3-a28e-4361-a9e2-893470663348} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
                      4⤵
                        PID:5240
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 4 -isForBrowser -prefsHandle 5864 -prefMapHandle 5860 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3825520-ffa0-44e6-819f-a424ccbbb3d3} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
                        4⤵
                          PID:5252
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5764 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8851e41-8cd2-4a95-8cc6-ae25d0e955dd} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
                          4⤵
                            PID:5264
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,1394014676065102427,603922297840707476,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:14
                      1⤵
                        PID:6104
                      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
                        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
                        1⤵
                        • Modifies system executable filetype association
                        • System Location Discovery: System Language Discovery
                        • Checks processor information in registry
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious behavior: AddClipboardFormatListener
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:5208

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

                        Filesize

                        380KB

                        MD5

                        e35e32a1b8c3803c10ed90716fbc20ff

                        SHA1

                        4ab0fba8d2a190822114228e85de4c490bf758de

                        SHA256

                        d84c31eefbf5e6733819ccbe8d85b9e0d96b8c2ac499f88d8c165050bf51b52e

                        SHA512

                        7197eb2746c32155ab3011a5d01c1d9572145cdf88711de3a58d3acfc9e0d54c3ecef8b15fc3d793a713485b1d23ad7087fc0703988d25cf5c8ce5c5ad4e8b00

                      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

                        Filesize

                        406KB

                        MD5

                        fd39c3d6a89a43152f76d4158a3291fb

                        SHA1

                        090c8d436ed51aeb52be15f0583dd6c2cf1b21a7

                        SHA256

                        557b4945a9b59c1c4a4ea2cc7f957436b8eb182f7118c77d876e4937132e5e19

                        SHA512

                        62d51767fb0a9dab35519c75738d99e95b557a243eb20882745278bfe5835b54367ab0100182b7847bdc6d5c43e0c9b8591e50fb8434141d802025257475c196

                      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

                        Filesize

                        63KB

                        MD5

                        e516a60bc980095e8d156b1a99ab5eee

                        SHA1

                        238e243ffc12d4e012fd020c9822703109b987f6

                        SHA256

                        543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

                        SHA512

                        9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HJ588GA9\update100[2].xml

                        Filesize

                        726B

                        MD5

                        53244e542ddf6d280a2b03e28f0646b7

                        SHA1

                        d9925f810a95880c92974549deead18d56f19c37

                        SHA256

                        36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

                        SHA512

                        4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\srrvfmx4.default-release\activity-stream.discovery_stream.json.tmp

                        Filesize

                        21KB

                        MD5

                        a50791bc3685d9e6f9f241147e00cb09

                        SHA1

                        ef23951a0afe53e47c97138ef159bf8386a3ba0d

                        SHA256

                        83d85d0b9b936f3fc4dc718ff95b0520fec455eee8f1650c6be67003ff3d10f6

                        SHA512

                        70beaca4494de4d6e21346230ea064feb96f8b31a967d3c74bb423c02397c2fbe12630b5bcbc902dde553ca3dc9efcb8c646d2c7fa563aed1466277a9d045296

                      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\5fce85d1-f028-40e4-93f9-918aaab707a3.down_data

                        Filesize

                        555KB

                        MD5

                        5683c0028832cae4ef93ca39c8ac5029

                        SHA1

                        248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                        SHA256

                        855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                        SHA512

                        aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        5KB

                        MD5

                        93dcb3519d0e1f274aacba8db15a68f4

                        SHA1

                        88c2a7696cb8d34b6896fca5199b7c8ba4d1e711

                        SHA256

                        55c8dbf9f8225304ada3fbe1719740a6cca2e0ec5f28cc0d71a1a8433af23e87

                        SHA512

                        09196b1b791bee8f5a25c6ee1e48763a627b2717ce8afcbd02e2e4abeecfbee72efa587e79e7e471c57d39baef3f51e1859db9e537411f79198de0f3376c8f66

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        6KB

                        MD5

                        f57d06fc7b71921f867b2bcd1bd16540

                        SHA1

                        44bcfc791417ec0ad81c60a4756ae9dfb95040eb

                        SHA256

                        943512b1a5fe3ccbcebc049604a20b24bbe907ab160ae19fdfac1e863db3bba6

                        SHA512

                        b03c5d9733ef49de582e7ffca0d1bef894f09683527f50f085bafc07fee6e3f6781e3b11130221c5153e33271d6c01ed5e1e0943de4605886d581e3a2aefff8a

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\datareporting\glean\pending_pings\09f15793-3387-43b5-92d3-28a4e624c0b4

                        Filesize

                        671B

                        MD5

                        323f6ac563cdac730b08da625ae00d98

                        SHA1

                        bf3329abe0fabe739a2fdb70f9d4ee22aa9abfc4

                        SHA256

                        98a7e376fd3070875a95972dea60dc0670775a5609bfe4118d4b56bed68e2541

                        SHA512

                        31acadc45876a036c2d66664fe8f421fb43f376dfd1a6853aa2912335e72d7c0746c88b74ba624367e352f818e91f99a93c7aee40e85ad9a4d2e073e3d63302b

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\datareporting\glean\pending_pings\355223bf-8e90-4db5-a587-d06e0b069ed1

                        Filesize

                        24KB

                        MD5

                        8605fc2d375ab8e69a006cb0490e8caf

                        SHA1

                        61ffbb62516f2613331245e28461ccf2dc5d2cbf

                        SHA256

                        bd60a487337c73e5a800a4ebd5185a9d2a396fa72c64293115aa924964ea75c1

                        SHA512

                        e110ffe159dd879e514430a60bda29c76a9221e09ca57f132e2e5bbe80bf24c26e1e9429e910265734c91304d3d7d7ee21c86593dedf4ed5ee6267fb103c785d

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\datareporting\glean\pending_pings\55df0a50-4fa3-4b9e-b64f-9b99c839a5a7

                        Filesize

                        982B

                        MD5

                        5aaead6901e1b7dc88929b6bd17d9e88

                        SHA1

                        d6df9d2758f67064dc40975bfff066f492206c28

                        SHA256

                        40e8d8a02370e95280b2b1e1770d71dd34abad4ef4af43ba5ae696c1cd3fbe33

                        SHA512

                        b2a618a392b157f030531c6136dd5b64d5e63b7c0be27c866bd804a8b4587b000758ee26154b16d83c25236bb2c99a5a7ed6242a41d3ed3220a761d856c90831

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\prefs.js

                        Filesize

                        10KB

                        MD5

                        de500c43c1dd10e4e39c72f9c3b952b5

                        SHA1

                        c29f5873e277092561abaf7979f3c4c34d53f8c8

                        SHA256

                        e4947e0f1866c3722f008dfe4a1c0ee3119a568604def0d5c92df8d0e4fbda9d

                        SHA512

                        3eda3953f24d0983e7b92310e479a56792c09d53dfdc738e6f12da01d4dff5bc67c50f7f10d3b8bf643b76977680e0b4db093e796b7a87bac9beb9acb33bbd8b

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\prefs.js

                        Filesize

                        9KB

                        MD5

                        1eafa0f34a354a05fc2fad037210ce12

                        SHA1

                        79bdb2d807c1a78f6678c9542fb38e4250db4459

                        SHA256

                        b0c86e2dd4bdf10a1b3c0ef8e203f4f07b10d22bfa18a9b82712466bd7a3e24a

                        SHA512

                        b2ef3c1771860183d7ce4aa96ee2ff675632f7428fd64d9b23dbea59e58fbf1e7586499eaea00eccb9a57938667a035b96dafef1baa3b29f7d5f1d749b6fb8e7

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\srrvfmx4.default-release\prefs.js

                        Filesize

                        9KB

                        MD5

                        7bf869d5597e43d94a80bd0383b853c0

                        SHA1

                        e2f8bde5a4d65f76dfb038cdd20e44d5299538c4

                        SHA256

                        b24548fa7919e537a1092564699a1fe489c12d0cf958c27f5ecd5dccdd77a3b4

                        SHA512

                        2ce0bb00eb5493eae3ebe02526baa4d7524515c2c14d1406df6b52bd8ffa2d8c208b98fa7050c747d3072212293e0888c7f9434ca53049e9ed772a24c726cb8f

                      • C:\Users\Admin\Downloads\74ARJ5_H.rar.part

                        Filesize

                        545KB

                        MD5

                        2336ceb3f559d1b1c0f097261ca2fc13

                        SHA1

                        4bec98a218c2d849b54489911b96db7be6676f77

                        SHA256

                        e174f14173f7bf7cb21c8f585cc9699c4e521e2758c8dc81b0dd96e41b48a5ae

                        SHA512

                        a424b40f2d9976ff2f35ff71c58c4fef67cd22fc48c6a806e1aec6486a95d04004fd1962837e4ef2d14be418ea13a19aeb7caad8beeba628c137fa7542d553a0

                      • memory/3824-3-0x00007FFC1E250000-0x00007FFC1ED12000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/3824-0-0x00007FFC1E253000-0x00007FFC1E255000-memory.dmp

                        Filesize

                        8KB

                      • memory/3824-6-0x00007FFC1E250000-0x00007FFC1ED12000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/3824-4-0x0000021EA4B80000-0x0000021EA50A8000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/3824-5-0x00007FFC1E253000-0x00007FFC1E255000-memory.dmp

                        Filesize

                        8KB

                      • memory/3824-2-0x0000021EA3700000-0x0000021EA38C2000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/3824-1-0x0000021E890C0000-0x0000021E890D8000-memory.dmp

                        Filesize

                        96KB