discordrat | 64cfb57e5ac63b3b59c2302710dba7dad93d9b27d39a950ff5e6be4315b7cf34

Resubmissions

16/04/2024, 20:05

240416-ytw56ach4z 10

16/04/2024, 19:50

240416-ykjhpsba36 10

Analysis

max time kernel
341s
max time network
342s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tic Toe/TTT.exe
Size

78KB
MD5

bea6449a9c00cf3667941b6d9de42610
SHA1

dd771bee34b16935ff90b3baea5f854e8371b3dd
SHA256

161b52b3f8b209d6ef096dd464d9ab5a749846f5593ed4b9e3d03aeb3a7a9861
SHA512

8913be46ebcba2a7ce997a8b93caf80e5aa1878afd18c12191c6af6f388969970e625f8299dec08f2261bed5f00fd7408c542128d33d9139a72a0adcfbbd356e
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++PIC:5Zv5PDwbjNrmAE+6IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNjYzNzczNjgyODYwMDMzMA.G6KXZO.KhvjpXnxesj0UFK2f4VA8aIK-hpf6VfhFGsAVo
server_id
1224114376949235764

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	discord.com
12	discord.com
1	discord.com
4	discord.com
7	discord.com
8	discord.com
10	raw.githubusercontent.com
11	discord.com
1	raw.githubusercontent.com
6	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577707493286598"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-834482027-582050234-2368284635-1000\{2502B73C-50DC-4494-A6A6-AF01A7E1CEF5}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bonzi.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1600	chrome.exe
1600	chrome.exe
4776	msedge.exe
4776	msedge.exe
4784	msedge.exe
4784	msedge.exe
3472	identity_helper.exe
3472	identity_helper.exe
1324	msedge.exe
1324	msedge.exe
3988	msedge.exe
3988	msedge.exe
2860	msedge.exe
2860	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	TTT.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe
Token: SeCreatePagefilePrivilege	1600	chrome.exe
Token: SeShutdownPrivilege	1600	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1632	1600	chrome.exe	84
PID 1600 wrote to memory of 1632	1600	chrome.exe	84
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 1660	1600	chrome.exe	85
PID 1600 wrote to memory of 2384	1600	chrome.exe	86
PID 1600 wrote to memory of 2384	1600	chrome.exe	86
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87
PID 1600 wrote to memory of 1860	1600	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\Tic Toe\TTT.exe
"C:\Users\Admin\AppData\Local\Temp\Tic Toe\TTT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff96a2ab58,0x7fff96a2ab68,0x7fff96a2ab78
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:2
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:1
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4196 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4332 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4380 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1572 --field-trial-handle=1808,i,8657977610438653499,13174747262389765875,131072 /prefetch:1
  2⤵
  PID:1976

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffab5c3cb8,0x7fffab5c3cc8,0x7fffab5c3cd8
  2⤵
  PID:340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,7946139519398336208,4536891438522667224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9351d000-0b35-4281-916a-86ee64728c30.tmp

Filesize
7KB

MD5
27af9155ce00183df39c47a456c55f59

SHA1
ee3659a287e23b7b1c6250ac10b1026d21802ae2

SHA256
046fba96bdf15de84b21d22f5feb7785c2244849332849d6916b407e67e0cc0a

SHA512
d5b822f76e576204ba7bbb51e188c6064606bf84e7f99a12248d810609ca5b5f5bda1463d3bf68af4d72639d4fa4bcd0417d160c4c2b64f23843bcebd0892fd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\99314a04-51ed-43de-b5c1-a7d7abbfcf91.tmp

Filesize
7KB

MD5
6f865ca25c10b39e6de0815a53a23a2d

SHA1
07dcc650a8f26b72400efc380e1ec31a1f2ec3f8

SHA256
fd5e69a967c755b43448f836bea24f3df1b14574f789e9e5eb05aa8fafc8b4d9

SHA512
2d414b5c8ce0892fa8d8d4d95ba817f0520699fc07bfe4859135c32864c4cb47fec8637843971ab4e660b58a09f928f2e6927ab252c2e3323b79bca07bbac7ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
16f559f7f8c5f751037e7700174a2778

SHA1
793a00ce52e322dc84694dc147bee57a039ddab2

SHA256
2257f8e7b66af03f263ba91de30912a404f828f143665bfd34889be34d8fb62c

SHA512
ed9b35ab33daa01002d62575965c1bdb0f58266b02494f6b215d9c77ad1755f076b9bbd6d5411f2b002e530ee52b7f9e42949091db36585b4b05bda79254ff25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
1ccaaeba0fc8b60b967ee81e0c490498

SHA1
3baf9ef79e72140aab4256095ef9124030ed50d5

SHA256
067f755322cc94d25b7a9f387ff73f936ee250d0e0e99c70b7e6bb3ffd5acfe1

SHA512
de32d60eda1c3d319cbeb71cd5cbfc5ef266880a9668953f100e1eae41a0c9ef0564697030e73b7352c80646ad7496312637f34a43f98ac8214bd8ad82977ecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
dde0fb43a0b0dca2bfae399e888d27e4

SHA1
aa05381467a4e4a329bfb90e3aeb0301531c9abe

SHA256
36a85c8198b5f0af7f4bb58fbe13f0e0aea57abd9dca37bf68201f6527a2a243

SHA512
267d16d8cb0cfbe98178b3d0a21072bd3ec2e1ac58ee7deff7500400f21c10d097b4ac23f90b25e7b8357347a0d2f2ebd1c963fe2188822e9f5f4dd80e62d816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
520B

MD5
2bb8b0d38ee584d74c04f0b6920a845f

SHA1
dbeb32650d0af966dc82e7443c68716dfdedab9d

SHA256
dccc035080f7de2103524665dacd602e58eaee3a5820e1739a44efad536e0ac8

SHA512
30ab7753b60a38ef6d86a55cb063a605ffe3d83f7fece749465bc874fc064f0711199dd38e7990d5bdcd67c87151b901cb4514dd9246eec57fd226e71278b991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
718307512b892ffdba649bae53c5f163

SHA1
0c7af1dda22cf539b772e947859e4c0143072520

SHA256
5a3d37ebabb67089cd409eebdb742b122695b7084a7cc6de29002b5086653788

SHA512
c598eb7f87ed7e25598b4f6b8af2da359d610540b6551844eac3ad6e73b614dcc451213e481349594c26650d16b50a39957649992ebb2062bc96b45ba545795f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
62305eec7c1a25b458b66b72de10f2e7

SHA1
e7826e4d6c16b7205f560723041c232f32810548

SHA256
343e9a009859c24ee3875d3ab979b22d7306f0b100cbd0e34248c94b53ee0a80

SHA512
07dc8812b9ad7c3cae23aaff016fef1e54bd31a7875f6c79dbf1243a25e94bd91519e12cd26049637c3588a3650806dadde60aaa3d4dbf5059ccdd77d0e38676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
d6064d2e84d38e7e7b263d5c8b9a8907

SHA1
af49b99c43bdf8d1859b6a47d72555571d60be02

SHA256
2f482fc78e75062a24e2b4318164e4b8d9f0696e86046f83b0ea6d25d52dd2b3

SHA512
8c56eb6192c026409a99eb5f6df7fa51c9340300515febd2dc00c45f561b79b7549f8ddaab7aafb643d1be1055a2741e2908e040e971e9d2b602431682105e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58ffa8.TMP

Filesize
120B

MD5
2d67e762af6b47cbb5f6db475d45e130

SHA1
423822087d5849fad754d05f3dbbe28e356e95e3

SHA256
50ca3ff0d0b54ad5ab9eaebcf37cfac9d2f5b1c2b677747d62ea5f250308f896

SHA512
ef081519232d07e45737c7f6a2c6f01369f9824cb2f97f79e0e19efdc0fd9eb3814be89709024a16533c71880b2cdaf0270a2249851f58c4665d4e3668aee865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
7f28e545e8826dfabecd5d541e46eb7b

SHA1
36727f318c0b8de386563e34b0c545b6eb203a1c

SHA256
ebd2ac947064a6a79591a5134982ea2963633122f453efe5d55583dd03ae17fc

SHA512
a08263df44a9673ed7bf794bbe52b36258c9231b2285a60f32a2c24afc55c3a83153923d6aacf94e711352aee962768b99260197106cf695da9c8aaa7eaf61e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
40c0f3f1c70f3a70bff374be91336c1a

SHA1
7e99e2249e15d5600be554e4c590712d5d461dd8

SHA256
0a1a1e3752d3c26737d893ba06656738169356b5e6d8baa1a5dd009a1e8e1749

SHA512
319d2bb0a4ff42a38cbe3f7246f989d4e5a58f620baeeb8009154217abc6d8994df0c3c959f0d00fc459f6f07e762958f5cc51c616d628b91d8d0da7459d51dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
36KB

MD5
e436e9f7d0b7a7fef1edc1dc7078abf7

SHA1
a5aabaac39d2163e619fcec4b1fbf1af8c6302d1

SHA256
6515ec9bdd51dd67a3018772b42b7d8ad3e83d22844f4baf0c888328bb73a1c7

SHA512
c3c1649c9c5e7e9b175305e73757346030bde5770693ef3947a0b6f2da2852a425bffc5785dbd880551f4c6821a11c560af58de75c585a257ed2128b974dea82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
011f843eb61c4182fde7b63d3458a46a

SHA1
684a2ad2afa0a6c549db9022800c9fc8f9e76562

SHA256
8a1e56d3c132104cd0c5c4998f908cbeed6ecf69e8cf6b04774f20d6e8b59940

SHA512
cd34f2bfe412c64f850fe9454643198632834edf6260a4f0a6d630fcd64aef06326f16d57c72f1aee6c9348af44165b5187e790950a27ea42ee41f93924a9a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
707608b5e92033e2f3fdcab89f4e2fa2

SHA1
fbfcbbb2d3b3dbe210214008e5eefcb9ebcef730

SHA256
5e9e1dcc0ccc4e46c5f8edd012b8f4f0094c43f8175d22b12677b7bcc9f45088

SHA512
9d18b6dfa09e67774b08f5fea9700a19942fd79fa4c051352e1336ef07f762aa78b319bb62fd90f20c77b0fa9b3a7b40752703010948ea2f8051c8017abfeb00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
349e7bbc8ed950c2f851c117796f79fa

SHA1
1ad8f23622a91cc975a4c0b64fa1e806066e74dc

SHA256
4a8abb95953ce5463d9ef45dea4fcbb9574224b11fe629c19e3c474ed76eb7d0

SHA512
fd55b292d99220f2cb8a8b80dde2c0f86dcdeed3252429df1ebd63f1338f4785a3908a24075aede505333ca84b95f71c7ddbec49ebd8600cb116f3ba2563eadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
919B

MD5
961d491093935aa2b840bbe84abb5e26

SHA1
79ea6686330d5169169c67baa693c7dda062ebce

SHA256
fa2137e8c2a837b237466dd55c5169a3958da04b119011fe95acec6734ddc85e

SHA512
70363e4f3d3579fb0e59a1790eb9df13a28df0ef8bebf7fdedf3d7540194c0d48ba54909a1f07f4ddac9f44f6080c93b563acb29a4f9716b54993d7972f34206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
918B

MD5
bb0b14784433dc6347af40d9a6594e7a

SHA1
7cd19d06a5bcbebb91cd168ab0c8ae5ea5db854d

SHA256
5f274bf65fccfa6bc4c8dfe95b760fcf0d44147e8964dfc19d2640fd94ae51b0

SHA512
8178fbca858aa2e33f3198340311185b1caa937c13961f747be35c5fb9aabc902a36a8b9ecc5cc86d93f011b298307ea4e282795a3b3d6f447a2e45d2b9bfc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd6ecd8f65219e5eb801d7c596ac8e71

SHA1
70a1aa5688019e75fb2f05680b1c80b7f45798e0

SHA256
14b0c3dada0c3790c6a74ca1948fa373bf5a29a5a63ef9d71203d20ff858960a

SHA512
b81a2d37edc470d69cc15132fd6632601901bfc51bd3cee95b19ac3e4beebe0cfca2e932c2e14372bc95493aba82fe78f60499695071d0d4ae9960c0ae197e15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b983493ada06ac174dfd4c475ee8e48

SHA1
5c076d695bc25307e3ded363ce015373a1cba991

SHA256
3e9971621899161e11871a65c31511921e390dd4a7ac757536da00755d319f5b

SHA512
4221755f7ca4d23b479b58addb78f2120a593288a4b006419512211267aea60cf3b29aed81c43d313f64c39dec229aecf9814c11884f51f7b4aec0762dffa76b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e04057cb452099b7eef8e41dc52b08e

SHA1
de88d985106e0b4cbc8cc484369480f708e563c1

SHA256
206d129717539e6b7b2c908a27323a893a7d487bc6778fc15382d56e5bc50695

SHA512
6fc460ef9e9423b25dceddaa27515c35d56b706ffd2f9e9d66e324711c8799d5914e58e140b36aaa2ebfbb7ed80d988fb68f0889e23825446496613b40aaf954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0b84df0ee711f6ce991bac5983b561ad

SHA1
76f422b5c8a5b93e125a97cf0b654f68a8a5ed03

SHA256
f3a607c4e2b7ecb555e4a5de95d90b5a307a8db00123c12ca78e702fc92036e3

SHA512
96107cf0b626aac49e4824405d73d29afe16ca1e9e19d18705594112b1c11223108ab144e9d1aa17405f7151ebfc03ed66198b7bdcd4c270aeb78f11a2d4218c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
19aa59929b544a9c3b468d48c8e04993

SHA1
37ead063a8bc6b4e0adcb084df8aee8df9f13df1

SHA256
84dc34ed9efcf2f1bd3c7a3fd8ebf2827c6f57d2a37eff8a5cd67ad26c510c34

SHA512
9ba5ee646d6bba109ba984ca1bd6fc17fd7681b5be26e7be08c24dfa069c824e01a34029d029fce384c75e4880a4660f20e6d7a0a5f6a38c79b9aeb8afafdbc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59fb4e.TMP

Filesize
370B

MD5
bc7afaf4d5191f8bac2c4528e62e775f

SHA1
773055e1778d2479c44e2ffcba39b4ce7c2c3272

SHA256
136d0013c66c5fce3e67c5d556d992eecdc572e3684de494a06cc8ffaa848609

SHA512
5dc66cc98dda19aa909ab155de2cd1e2dbede272d7966f382dc446d7a42af1356bbda21552b9431b81195081676904053b3391803ac2d1801e77048260123b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e094533f646e00c3e42f7cdf388b1a0

SHA1
50bd034f49129e8c68f7923a55680a6015dd7905

SHA256
8fccf148d250737726ca35c52b4d3405eb2276bb61dc493d37a2a3d6827c7bce

SHA512
321a7fa89e6a936bf9cffc2d9f2551c2198f0aab1f42e63feea0cfbf31747a1fb5ac48a7e2d7810b5d28e89909690efb9f16465e3881586e86325b63de18a197

Download Submit
C:\Users\Admin\Downloads\Bonzi.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4600-0-0x000002474F780000-0x000002474F798000-memory.dmp

Filesize
96KB

Download
memory/4600-1-0x0000024769E60000-0x000002476A022000-memory.dmp

Filesize
1.8MB

Download
memory/4600-2-0x00007FFF9A450000-0x00007FFF9AF12000-memory.dmp

Filesize
10.8MB

Download
memory/4600-3-0x0000024751430000-0x0000024751440000-memory.dmp

Filesize
64KB

Download
memory/4600-4-0x000002476B0E0000-0x000002476B608000-memory.dmp

Filesize
5.2MB

Download
memory/4600-719-0x00007FFF9A450000-0x00007FFF9AF12000-memory.dmp

Filesize
10.8MB

Download
memory/4600-5-0x00007FFF9A450000-0x00007FFF9AF12000-memory.dmp

Filesize
10.8MB

Download
memory/4600-6-0x0000024751430000-0x0000024751440000-memory.dmp

Filesize
64KB

Download
memory/4600-7-0x00000247515B0000-0x00000247515BE000-memory.dmp

Filesize
56KB

Download