249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 17:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BetterDiscord.exe
Size

112.3MB
MD5

673c5e8265f3f9c40e2fc8a4b56744e4
SHA1

5d0b271b850f0cd8e01229b1a72a2c1215bc7956
SHA256

43894debcd60fed8d64c1a724e60eb860a9d5453b3fc0529ecf9efdbc10a8128
SHA512

920c25220fe7d0b6b0079f9856d3931c3dcf93c8c6cf74f1ca1b3946a327093b24c03eb726b4344445b4d386847fc67e9dcf8550c20617a79df75b5d9c3e7483
SSDEEP

1572864:AzeRomoaC09nEiziYtpg0Ymr7owq3Ddn35FZevY4v034WZZB0HDh996O/fJaCJpw:geRomF3o3V/ZevY/CHHd+Iq

Score

6^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
201	raw.githubusercontent.com
202	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	BetterDiscord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	BetterDiscord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 8 IoCs

pid	Process
4852	Gas.exe
1156	MEMZ.exe
5376	MEMZ.exe
5604	MEMZ.exe
5364	MEMZ.exe
5352	MEMZ.exe
3756	MEMZ.exe
4520	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{B0E6F1AE-3FD6-4697-A73F-D147E7BDBB3C}	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	BetterDiscord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BetterDiscord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BetterDiscord.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 244553.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 984382.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
464	BetterDiscord.exe
464	BetterDiscord.exe
4008	BetterDiscord.exe
4008	BetterDiscord.exe
392	msedge.exe
392	msedge.exe
1780	msedge.exe
1780	msedge.exe
4060	identity_helper.exe
4060	identity_helper.exe
5972	msedge.exe
5972	msedge.exe
5708	msedge.exe
5708	msedge.exe
5856	msedge.exe
5856	msedge.exe
5604	MEMZ.exe
5376	MEMZ.exe
5376	MEMZ.exe
5604	MEMZ.exe
5364	MEMZ.exe
5364	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
5376	MEMZ.exe
5376	MEMZ.exe
5604	MEMZ.exe
5364	MEMZ.exe
5364	MEMZ.exe
5604	MEMZ.exe
5352	MEMZ.exe
5352	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
5376	MEMZ.exe
5376	MEMZ.exe
5352	MEMZ.exe
5352	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
5364	MEMZ.exe
5364	MEMZ.exe
5352	MEMZ.exe
5376	MEMZ.exe
5352	MEMZ.exe
5376	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
5376	MEMZ.exe
3756	MEMZ.exe
5376	MEMZ.exe
5352	MEMZ.exe
5364	MEMZ.exe
5352	MEMZ.exe
5364	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
5364	MEMZ.exe
5364	MEMZ.exe
5352	MEMZ.exe
5352	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 4708	4672	BetterDiscord.exe	90
PID 4672 wrote to memory of 464	4672	BetterDiscord.exe	92
PID 4672 wrote to memory of 464	4672	BetterDiscord.exe	92
PID 4672 wrote to memory of 464	4672	BetterDiscord.exe	92
PID 4672 wrote to memory of 4008	4672	BetterDiscord.exe	93
PID 4672 wrote to memory of 4008	4672	BetterDiscord.exe	93
PID 4672 wrote to memory of 4008	4672	BetterDiscord.exe	93
PID 1780 wrote to memory of 2968	1780	msedge.exe	104
PID 1780 wrote to memory of 2968	1780	msedge.exe	104
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105
PID 1780 wrote to memory of 1720	1780	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe
  "C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1584,8269685881879980273,5712921704415727492,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
  2⤵
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe
  "C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,8269685881879980273,5712921704415727492,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe
  "C:\Users\Admin\AppData\Local\Temp\BetterDiscord.exe" --type=renderer --field-trial-handle=1584,8269685881879980273,5712921704415727492,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9444746f8,0x7ff944474708,0x7ff944474718
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5708
- C:\Users\Admin\Downloads\Gas.exe
  "C:\Users\Admin\Downloads\Gas.exe"
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5856
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1156
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5376
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5604
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5364
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5352
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3756
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Checks computer location settings
    - Executes dropped EXE
    PID:4520
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,7423159007538416211,1982061142265386988,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5168 /prefetch:2
  2⤵
  PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
31KB

MD5
a02bb3f67827b5981de3468e8b090612

SHA1
333ac1b65b3a4d9efb013fb5a9b45566c78ea95e

SHA256
292edaac9a0fc55a154d44be30f6e2e882bbbd2a7388e5fb0d3ae6093fef8439

SHA512
2258db63a5f06f59feb15d925ce48ff097d66228f0abb07c4e89ee31c31fd02b73a753b88e719cb7ea6bab1ae10c409f63bdd638c6fa2d18ba90e7f2ef139d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
911KB

MD5
6ff991fbe75a461708e9db2fdee802eb

SHA1
6891a6e986f17cf912e0786889965c2c794c8db8

SHA256
936109e5a2a2ac04bfa42f235b3a65458452e026befb3578c59842518f448538

SHA512
42d5973fa63bde6a42ab3af05bae1fa6add86f358a32ba08cdfb4b6f87d02e54def595a368d113c0e697d51c7d745cf4d04592f88d34e321ca8d635850e24b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
29e947e8ac76fb935d2f17397df27d40

SHA1
e912f5687eb1b493121293498c9136fca089d7b7

SHA256
c69dcb85d62a28b5ac9ffc6563b8474e456006cf068cf458bc542f24cb22d203

SHA512
4240c4567b9fca881e17243389b53e5ac4fdf57328de13343599202476ad10a5488562bb5c0e17093b8fbf1560b55988195822e561a37697bfeb790f2fd00001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
853B

MD5
a1253809f5390b14e2dc5ad1e7e5adad

SHA1
29032c966af05ba7ec9791843c474dbadec40733

SHA256
74df6d997e2871c62de4163708bf7653ae7dec258183937be0583134b1a489a6

SHA512
e40771c9f1d18ffc2a4ea0ee9dccfa0750ba81a94dbdabc3ea8cb2cbb51368bbc374ede8df293dc31b8e10417c4b4ae086b4aebb035b064f719119b2fc84e26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
936B

MD5
e3ec9c408712f623bb6357cf9ac33599

SHA1
a287308201ea00e8663899714e52c851c3931bb8

SHA256
4d3deccb076268ef1f31e69975a5792fd436beb4b0362025bdf58bbcf887f1fa

SHA512
25eea75be228d9594eadf8973602464716d1d3ea652e4b2ad6d864f0c8514b8ac63d9f179a2e7012f7086435bfbc6da3292132e666c4f9c0538b04132e9aa9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d7aa925575aa4ef0b740d6a2b5b251d

SHA1
cbeeb5c8c2f8924e49f00e62b680131adb107d2f

SHA256
3a271c6edeb6b9623508355c50fc08ea9992ec0ce8f25e1ee2789a571a2ea607

SHA512
a2b39c329da43760e8b029c09ab8f5506a86a4598b1e387d1f185df6abb4ae8348b3b29e90bb7f8772ca7dd126b8c26bb1be3a7538f867d8c3d22fce259846fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2709101d0e2e17d47d1b0297d79d12c0

SHA1
dbe95dd9035b899f41025c6636365b074d963c03

SHA256
eb708a1ef5a59fd89894965c34d7c84ef8690161b596f9a0355938f860026ac2

SHA512
89a1e94a68677434e673d6e5df3eda76b5b2862d8f94795df9809d177618bc57d7e574da408d96ec700e529f0e041f8b4f18fb325949100c85fe47484f90f4dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40692a83450f4de93259c0a89d865fa6

SHA1
8f5940ef5b83dc6c6d41b5178cd87c09360c026e

SHA256
d37123c1a8c61dc65f82d515937db93d43a6e2f769bf9b736970f3e1cce3ed25

SHA512
d30b1605d108a75e92f2e83d2a43b4a0864a0d28d24222a3682098780157b5c26aa1197f70ccb17806cd2a5bb642a4ba849e3b4eb7df9e4afcddc11e45586b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d618d1fead05dbc0b886746ae4825b8b

SHA1
b811395392f69811ac3bf5002914838a2a64da83

SHA256
524e6b677815c49583136c0e063fa79e3bb96ab364308c764c808f4de18dfd8f

SHA512
506d890cc03c7b98cf51848141f4c337c3a60fafc2e3ec10a636e3e21d02635f46567138f1ec326eba8fb1b2d255c79972616be468017416ad02a8466c25c47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c099a98de39d3ce99d3259dee0740435

SHA1
7b8cdac67bb62104377e05e7ff6f22471bb2df4b

SHA256
f112dca977c7f290ecf2aace2fc3c8eaa8ccc7153c2b080a693015d552e39d50

SHA512
353e2093a05fdd0166dd98ba1896cc11e48cd7d8332a4c3562a582125be1b4d66d066f30e0cced145d6f636e4219fe7df3592e9bf055eacf8c32c2d2e8ec5801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
07bac6d8ea83518f00abcb637ae26ecb

SHA1
007594ee85b8c75600be95ea38c4664508110c01

SHA256
667f35e65ea94de221fa275ea73cf69e1882e0b0871e6fb04a0ee07103f1e471

SHA512
f99794cf8ae09ac70bb587b0ed5a2d4f398241427dd1fba6d90775f3bc8401372ce326009b8175303321c5d3a4105a28ef9edbc255560e91ec419f1bf0cefd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
534B

MD5
517372d917e34a27fe5f015b8cd2d6dc

SHA1
0cbfa3db95462e36d9a5ee90d698b5e640ba0015

SHA256
46c6f8a6735f12571ee803de306378fc82fdf111349338592069133c6f97a71c

SHA512
79ff9469163fbe869acc174f48dd0a368bae4dcad618dc11268fb8646a584193e7abbf8387c434393dd9efbb60c9b7acf377c832608c2789bd28cfab706530de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
38e6f218b67ae92c0bc92f8c99abe8ed

SHA1
d6c489dbb17c3f3d7a38c6362681924446f4526c

SHA256
a5efacb6fd119d51d8c4fcad9b90c6900ceab25ea3df4bbc6325e3fd3ce35117

SHA512
a2d53098037d6df0998c9e8bc2b91e64f9f44c8974a6db33e7ded086e843ec2a71a6ec3842f7090014cdc0c0a3e317a6926317ec6e4b4dde781386f05c09d20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d7092e75747909b36ce760e1932654e

SHA1
644f7e7108559f871a56a13e0a682a89dc79bb6d

SHA256
178e5264d80af14352ef77cfe476f43c7d8fb1769fd94af721a0a30426539595

SHA512
131d74087d7b15b02134df36bc365a0e0c512753781ed2bc4cc0e9289623d43ce2b3eef62709efc46fdcb47605a764c81e49b314fdf30917a5d1ab2e049ef32b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
52fd205da9471bd871ad2ba5e6715a6d

SHA1
3d969771eb57a6e04cd53bf70a995455fc3b4874

SHA256
61043246f052f4737658dbbf5ac4067191274ee1d3c2c64d09d2f6323d54c560

SHA512
c395616437dbc76681a7af86c9c5618b62254e60c3211aee840af069c7f8b9a98bff9c2496b03b39c79d750d3732960ec33c48c2a4b80a2a462019f421b7ae65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
62d79619f12cd703967cb2c54ff5a657

SHA1
310d9456c4e6e606fcc85f642fdac8e92b26e691

SHA256
189b52b4d94f18f0c607665d6a1bbe39b5982bf955e7dfdda42a14c186b0a760

SHA512
27dd897562145f7bfc92aa463b09ecca2e3bd6c64391a3a1ec907a822fcc0971d3d23ba56550435c31b5f2e5ace4f97be79b7a12de7bd0c6d232f7f4fe63ad73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5829e9.TMP

Filesize
370B

MD5
99455bf0afd2a24aa235b05ac4d562a5

SHA1
9e5e27b0f3604899d2a0efa805be9934332d6e6b

SHA256
9ec89c8b0aca28a8bc6aefa585bfde4c6d1cd1444dd40037d0d68c29850951b8

SHA512
ed2bd7af4b377c5815d77258c566cda33c7925d504ba70590d79372da8a3af4f28b310201c4d62220e7e1d31223dc4993b3b383e6d98f90728907a476bb356ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
559449247313a62d26673df1fa5ab5af

SHA1
fbc6f8b44e49d5bebb9d90938c3d317004543cce

SHA256
1bdf32d663bb11dc2ef8e0a786fd717389a9a315f2b2ade851dd3e486f38d738

SHA512
2f8fb6161345619ca4e94d21dfcff2d1600dc60afea110642caf2111832477ebaaec748350b9dc4c6ef0ac5bf2cbcce3a1ce50d591a84be87583eb15a558aa0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6ce6d174639d7bef41db37a518511ea2

SHA1
a5bb21126d887d2815a7d004a4b54296907e1464

SHA256
d63f4fc5bff04859c008f9d7f48d7a0e6edf133651729ad22f8e43158da7a6a9

SHA512
c8fe76b1a862873d0efcdddd636d9b8d4d9a7ca2f81848f75e5d5659439fcfe08b8ceaacc123d01c63dff8a43cc35a91461c3041e21a3ca8cbbc916eb7f7cf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8cd193acdbb79e3f9b17c29e09b10b4a

SHA1
b524dbec9a6024b2c75043f538e4b202e841dd45

SHA256
27a37f52260fc37571a8b015c37e48a2580db2f2757697c345547c56e17303cc

SHA512
9102e52d4eddf631520ca92cdbb0540bdd52c2ec6ad408afe30d91d883a7d9d65ec0562cd4799ff6d90102a790c4a6defba44d2484812861bc9c7094ddec43b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c7ecd61ecbc1bbb54c464e902d6fb76b

SHA1
791c640a03deb58420ded33efd2ab8769b5933b9

SHA256
8a3898e2e1eaa74ff80bad682b0495d0ac4d05b1e2291acaa2ede750efa58033

SHA512
255b64b8fed1e40b8c45eab801699daa669ce801d86f55bb9e587e373f0921543d6a2bc83e4a8abcf53285725998a73be0fcc9f7adfbadb3bc28d4c12162d505

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Network Persistent State

Filesize
175B

MD5
2b7e4377653e6e07536efe7fc1bd78a7

SHA1
cdd9c03b91e368bc14c4ac0ff7204ee698fa285d

SHA256
bd367325bb3c469e1aa6dcff50b6296b9b8d5bf5bed538f01f36c29b0603511a

SHA512
5dae5ba1af5ae6e52a39092bc5b4ebb454906c919735ab5b7f7a4c84a487e26376f68aee9c86265142e03c0f163cc0623094fa4f2936bff17504c2059ba112dc

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Network Persistent State~RFe57a8f2.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 984382.crdownload

Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit