discordrat | hxxps://gofile[.]io/d/DIybB9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/DIybB9

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMDIzMjYwNzc3NDc0NDcwNw.GxAcGD.mnB92PW9-EMcDuoo3FjOhqODTk92OuERwKSEEc
server_id
1209136277253918762

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2176	flaminz-toolz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
129	raw.githubusercontent.com
133	discord.com
74	discord.com
98	discord.com
105	discord.com
117	discord.com
119	discord.com
63	discord.com
99	discord.com
118	discord.com
131	discord.com
110	discord.com
130	raw.githubusercontent.com
116	discord.com
64	discord.com
68	discord.com
70	discord.com
104	discord.com
111	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
860	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133530885653788476"	chrome.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
2176	flaminz-toolz.exe
4116	chrome.exe
4116	chrome.exe
3416	msedge.exe
3416	msedge.exe
3252	msedge.exe
3252	msedge.exe
2784	identity_helper.exe
2784	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeDebugPrivilege	2176	flaminz-toolz.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 3636	5088	chrome.exe	55
PID 5088 wrote to memory of 3636	5088	chrome.exe	55
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 5112	5088	chrome.exe	92
PID 5088 wrote to memory of 3448	5088	chrome.exe	93
PID 5088 wrote to memory of 3448	5088	chrome.exe	93
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94
PID 5088 wrote to memory of 460	5088	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/DIybB9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c1099758,0x7ff8c1099768,0x7ff8c1099778
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:2
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4724 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5268 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5796 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4704 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4948 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Users\Admin\Downloads\flaminz-toolz.exe
  "C:\Users\Admin\Downloads\flaminz-toolz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C ipconfig /all
    3⤵
    PID:4516
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4944 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5220 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3184 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4808 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1844 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6424 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6140 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6220 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6592 --field-trial-handle=1892,i,12415050525029874953,11679949160379936006,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8be1846f8,0x7ff8be184708,0x7ff8be184718
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13238530157931490807,13741375557723418651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:5204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7296eef1-e791-486d-acfa-e6e93a29b3c0.tmp

Filesize
6KB

MD5
8ae8221ca033d6936e1514997b38bc4f

SHA1
ecfbd2bb4314fcbe2883f2a5c3c55b3ebe9294de

SHA256
e78d2d32b737d4da297e37e07801ba96675d807a74c68568b60208fd98fb384c

SHA512
98b666dda5c1f267327d1fa187658d9d26736a1b53a1bd8844f97af6e2bd75b8af7b27b4bd2978768ff225aaef51dd434d56775b2748a89d2b61db66bd20cca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
1720983dd280c42c5f36e08bf95183b6

SHA1
a86fc2bf9642941fbc4721db840a0c6410d37307

SHA256
e0ad95381d25bb36022733fdc4775b25674aba602cd42bc543e5fa4a71fa54a1

SHA512
ddc377ee3c6c032edd7ed2b7f962885697c5d4f6cc4cfe7ae02ba59d1f2c62ad3b4cef0f09a2aec382fa43a19fe28fdf33c45dbda7cf48341ec6fd245c218939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
5b43401e30c989e9608bf5022ceb0909

SHA1
9d57b72022b68bfbd42ba0139446136e382c13ae

SHA256
05bfd4bd1d1accb0ca3044cc89314c54041c737c7318755d1a2aef8caecc35a4

SHA512
70d59ffec9e33534653d42c833e21225ce864ae67a3318cf07b4d54c5862f1e948b7bc45668ec10b2ef1d268ae1a31d51343812fd700696b2bafd971f40ad0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
2bb5869d19339c9c4f84ab14210f2f1d

SHA1
0b616d8cbb52c8fee6d46f52f9114016caea64b0

SHA256
57c12b8e9201433e73de02dd220e0e82b5a41ad94c8f695b4d64a00496413c81

SHA512
b183e1d63423f02ed824c223ce8231a43b11eaec8bd87176daf6da5f1e101d0cc53c9a73c1c7cc07583b196d5d32f27f633a09a844e8e909a598a3554183c359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
f200e3927d1e02da70e923b6b717969b

SHA1
011227e794eed44d0c6cd67f368362fbb212db38

SHA256
533a38b2eb29414d50298573f04d62e89aee2b6bbd00ae61424f254192bb8851

SHA512
87cb1b810460c0878edb445606d3a1aa0fb83b768d15ba340f6d6047646724c2fd024cf0c0b4badaa2c406049939ec5f0219f4e9c8bc65f277d3a67e33fb7c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
d2f519f6c6e14ded94fcfbd768ad242d

SHA1
5e3418f45c8dc379d0618189b7c2d684237c09d5

SHA256
8565aacf5491986209c786bd0d3b57b20c0d7efda4f66a916aa996e195d26bf3

SHA512
4b79e9622b3e046a8d52945608242af00d0e73d7a237050579e12c4f32a612e8b64a9a4e02264d82b2c287bd29bb4ecd6c5682e459065327016cce3bb7768880

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fa1c289cf1adf5dbab92c80afc8505e5

SHA1
943a5395e292f7e66eda5d9f8b9925387fb1645a

SHA256
e94760d9072629ae3cfec0d04ad6df2f7e2851fb0d6d68d7230c3f4b5a3dd626

SHA512
8696e1397c3de8361f6333ee3f62584cf918123c0602ee702956476dcfe58e9506119cf4b900a83b3dbbdcafbdc4a4759625c59fd6955ca02437542f4ca6846b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
7d75be8aa834c660b47988b4823ebc4b

SHA1
9efb92b7b3224d36cad3b8037d0927c76c4001d9

SHA256
8a7cb1989e20a54af60d5960283860329e04893b3e35408d369ee5aeea1a43b1

SHA512
a38019bb27bce07fdcf57e43e10fa022d58d7b8cec8f03a457fefd279910a5d3b895eb37ca575c3b856761642a31f21e24a7de8eb61c8036d7bbbe708d191dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
ae816051467d66ac2be3cf188abcfb37

SHA1
53b14548528995e25ecb98f7e8e6cd4e6f43df8b

SHA256
41aadf5031fe08b35951ef3ae1dc06410da29857596dfa5c6763cddbc3d665cb

SHA512
c7a23bd57f09f3debcee5c74b2098ef63cee1065da0399289a720686f48aa2e28f1e4b0aa0f8ed16c65989b5959452edd8252148b76608fffddd244b180fe52e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
857be420c88f994a98af9b7908303387

SHA1
1379bb8c59dc8ff88dc84a846fa78bd740a381f5

SHA256
5538219f378e9d2b34183cfd784383de5149a8e9fc38c870f71e1392a135683a

SHA512
ab8f73ea8b160822a3dd0c2d1d3d12d4dc0b88ab74dba627a7c308fa38423cae5a504596ad2346389f22912ad23c87a69694e6a42c2436abdf757a73c240ea43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
a4951c85b0ee6201d5e0d202fb28778d

SHA1
5c0058a45eee2767e56a377faef8dfb0d9710b98

SHA256
30ebd39cc5e7e55f66397eae610fbb7f2cfd90ee351c1585df0f01aedf336c9d

SHA512
a78ae7094116e75a28e6aa22576bfdb7b070a662143e95b59c911fd5f8b7bf4e82fe7ebbbbe86c68c658ca3f386601058f1ddb763cefe485e58deba92e3d056f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5441690117cedfd49e1472868a432082

SHA1
8a8519b379d2e2e98d5ed2c4337808ec7597cefd

SHA256
d6901a8ddabde7fa5ba4435edb625d0745c595999a22fcbd79871623e7018397

SHA512
d3d72a0bf12d69cd2a3b17c6d1beb427efc947d5e40cc4dc4a816c972a5b50487b7f876e79774cb35fd40d9c3e2a569a150328a49c0b132664beb4518e5ab193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9171933d133fd6f086cddc0d4ce55b1b

SHA1
14fdead7fef45eabcc9f7a8737a7c73ea5e6353a

SHA256
bced1022df85076389f476388a9e3c875712c46e89af8aa0a06dc54243ef8950

SHA512
f49fd9e7bcc44db788f79e1efb2ce225e962cf39885be5928e883906af385f3cdb183017e76e3dedcc47f5dff5e1edbd98222dd80bef077cd34fd7e27427f77b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2e4cc21c10acf25df694aeee59fff849

SHA1
47dbae095794f9b4f2e3d02405c9cbb6acf9ac33

SHA256
27a5888a30b9113e2c2634ec0b16546755fa3d00f4159e4fbe64a9689e073934

SHA512
90ae13ace118791c223e4fc44398ba8f5afe7c0237119cab4cf5e06d45a3eaeeebb54dc3ca48f8879782699efd281e2cab523dfeca36df9bc09a1f9852f7a12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
4c7f7d760c9940274e5585b5975a546a

SHA1
061f7a94f0c1ff3db37225fb41799d8a4eb63d92

SHA256
6443a2341fd022ec33c1f306b34954bc65bbf92f64c015202bd173c9c95c84de

SHA512
6686defd30c88eeb0bd4de9efd9311abbd89e52428d926c7c135fa98270f30dfb1607a4376ec25e2087aeabb687c3e6907fdcc7271bb764207a39eaba05188bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ba27214061678b7cd1cf25b42d18b8b1

SHA1
213b1ded7f546b17101e5822562b2b946fef3de2

SHA256
7c26115637b807f8024dedeb038c08fa59ab11ca73248d237fef74615e0210b2

SHA512
ced8011a4139ff8f2410c886f83c3afd1ea5e85578d2156fda0a87fff703298f9637f0e593659d35ac06a2c29a4189cc69fccbd69150d77fbff59703873e7e46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6b6b1e3159baf125b898695bd4616abd

SHA1
b37b42d7a4424d79870d1b5dec4e9cdcce4d3d1b

SHA256
fac1bdd7faa1b65612afb9899f31899cf3599273407493418ba8913cf7c5dd5c

SHA512
1e71978057482637e3ff418e9c131762b3d94406255c0de925e33e41794705433cbb148bd82499a6c42359a06e649254be361dfeb3b8e289098f76312e5c64c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
df17e4a137231f39547ce161a762cb7b

SHA1
7ab1990538aaa7febcfe3aa8779de3c563526d3c

SHA256
a4948b069f19858c777a845d2a3c7650bb2b583e3854f6cece45f9de850a906b

SHA512
a1029fc20a9a6e69db906c484359e196cfd57abd6a7f1771cd11303738319818f2ea3e1694cb1b57efc039f89d319f166095b92f784bea5c07733e837a5031fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
117KB

MD5
c15e788267f00d55e65a50df6fae74bd

SHA1
cd94bffa86c1fb0ccb57acfa5b70a576ce802b7d

SHA256
f29df709acd4a57a9bad0c7f5b7dc3028de32c558fa4306c4e739261eb410a8c

SHA512
cf5cb01fec6c53e1b3bd54e659498408b4a35d474106e311c305c33356edea9a7c5f36e7386cb32d4808aecefd41825ec241cf5260785cec6daba013bad4f2b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5933b8.TMP

Filesize
114KB

MD5
77f5a4047124ccc501347d9c0243bcc8

SHA1
e9065ccdd09883a97230f3346d3cd314fe4d2601

SHA256
40763c9b39adc3c590ad2602a2673ebe2126f761d915a2ac5f65c1a7383db3be

SHA512
2eb072598520768e9f145ec7494fd2af96b19d939712aec9adb783d66d82c27d49327ee540dad6759127d44ef3d95edeff19037674e166aea7cc74481fd6ead9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
413fd271ba46f52b346ce26cbaff788a

SHA1
d2c29d85753d4170075ef7b70752276fa15b7cd2

SHA256
dbac4225cd9e65b9d2412d36ac1d7503f7b9697ca7048d8b6aac05eced45658e

SHA512
39a61fe05f04a70b0e4769e095238019068dbeeefeb18f46340661de5ae04d938dfe5a687474b27459186e3805325d86f7553fecbe43339660ea63384279f04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5a8bd15b5f56372b3c64ce98ec38b8f

SHA1
f9e2d3583855a6bdc2fa7f470afa7d75cc17fac0

SHA256
8f5418b71d18e1e50db612033f006ce4ddfa18107589314b6525e180d0746082

SHA512
0693178da602947bcf5e6bdcac17b86e5799249a422cc2d2f1671f42415e0c153842de0da839ff1ce82dfa056b6dc1cc2637349ece8016958dca2021721efc21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eedca8d8b96217554c7bc3b62b9367c0

SHA1
aa3da4d5b6ad060021e96a48d5e43f4f591c04a7

SHA256
586082fde8ea4d5c17e82522e8efca8cb96e20c8b904422be436c37cd760f922

SHA512
9e65ffa931927966c0f2081c6cae9148af8a4f0df197eced75e780072aba7cca84e138ebc83e959507b77d5e765a7e867dc732af62d1686257be827287297ba5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 841660.crdownload

Filesize
78KB

MD5
19fd570fbcbe2ec23fc46733efc7f823

SHA1
e3d392f2233ee6aacbbe78c0e6d13e14780ebb3e

SHA256
12da161cf24cf674a7d157e615128e7f3ee90f33f8c00cf9a668cb9a90ded738

SHA512
3b232e63cee0e0fc42f8885292f83a0011b417befa9fcb1c7cca5e8d54dd457cf93c87c22bab994f3b7c436e992743ef2ace2bff425725d4611ec561cc5f94a4

Download Submit
memory/2176-88-0x00007FF8AF180000-0x00007FF8AFC41000-memory.dmp

Filesize
10.8MB

Download
memory/2176-162-0x00000205770C0000-0x00000205770D0000-memory.dmp

Filesize
64KB

Download
memory/2176-87-0x00000205770E0000-0x00000205772A2000-memory.dmp

Filesize
1.8MB

Download
memory/2176-86-0x000002055CA20000-0x000002055CA38000-memory.dmp

Filesize
96KB

Download
memory/2176-89-0x00000205770C0000-0x00000205770D0000-memory.dmp

Filesize
64KB

Download
memory/2176-90-0x0000020578360000-0x0000020578888000-memory.dmp

Filesize
5.2MB

Download
memory/2176-157-0x00007FF8AF180000-0x00007FF8AFC41000-memory.dmp

Filesize
10.8MB

Download
memory/2176-416-0x000002055E690000-0x000002055E69E000-memory.dmp

Filesize
56KB

Download