hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbk0yQnU2RE9YcVBJcFBSWDUtVzBYcGxWcEE2QXxBQ3Jtc0ttaWs1SWhPQzdxYmdQbUlVTmd6VnlPd3FEbXhzWER6ZTlBV0pWN0IzWExZZGJocmlxSzcxMmhBTTdaXzROeTQzR043NVFLVjNvZ0hyUTRENF9aNFlLOGZudzRiZkstRUJMLVJjR0ROMk1xU2l5OC1Saw&q=https%3A%2F%2Fgithub[.]com%2Fget-got%2Fdiscord-downloader-go&v=06UUXDQ80f8

Analysis

max time kernel
352s
max time network
353s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbk0yQnU2RE9YcVBJcFBSWDUtVzBYcGxWcEE2QXxBQ3Jtc0ttaWs1SWhPQzdxYmdQbUlVTmd6VnlPd3FEbXhzWER6ZTlBV0pWN0IzWExZZGJocmlxSzcxMmhBTTdaXzROeTQzR043NVFLVjNvZ0hyUTRENF9aNFlLOGZudzRiZkstRUJMLVJjR0ROMk1xU2l5OC1Saw&q=https%3A%2F%2Fgithub.com%2Fget-got%2Fdiscord-downloader-go&v=06UUXDQ80f8

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
53	camo.githubusercontent.com

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "186"	LogonUI.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
4016	msedge.exe
4016	msedge.exe
2528	identity_helper.exe
2528	identity_helper.exe
5660	msedge.exe
5660	msedge.exe
5848	msedge.exe
5848	msedge.exe
5848	msedge.exe
5848	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5732	firefox.exe
Token: SeDebugPrivilege	5732	firefox.exe
Token: SeDebugPrivilege	5732	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
4872	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5472	OpenWith.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
5372	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
2724	OpenWith.exe
4672	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1508	4016	msedge.exe	83
PID 4016 wrote to memory of 1508	4016	msedge.exe	83
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 3320	4016	msedge.exe	84
PID 4016 wrote to memory of 4744	4016	msedge.exe	85
PID 4016 wrote to memory of 4744	4016	msedge.exe	85
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86
PID 4016 wrote to memory of 1668	4016	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbk0yQnU2RE9YcVBJcFBSWDUtVzBYcGxWcEE2QXxBQ3Jtc0ttaWs1SWhPQzdxYmdQbUlVTmd6VnlPd3FEbXhzWER6ZTlBV0pWN0IzWExZZGJocmlxSzcxMmhBTTdaXzROeTQzR043NVFLVjNvZ0hyUTRENF9aNFlLOGZudzRiZkstRUJMLVJjR0ROMk1xU2l5OC1Saw&q=https%3A%2F%2Fgithub.com%2Fget-got%2Fdiscord-downloader-go&v=06UUXDQ80f8
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb138446f8,0x7ffb13844708,0x7ffb13844718
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3476 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,1870564110905790490,9193838539549276171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4872
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\discord-downloader-go_freebsd_amd64
  2⤵
  PID:4468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5472
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\discord-downloader-go_freebsd_amd64 (1)"
  2⤵
  PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\discord-downloader-go_freebsd_amd64 (1)"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5732
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {711f229c-2c79-41b5-8530-2b06cc8dffb2} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" gpu
      4⤵
      PID:3832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22dbca5-920c-4974-b456-ea486f0db420} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" socket
      4⤵
      PID:5940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2956 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 26518 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9338688b-be64-45f4-9b6f-d083c68d715c} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" tab
      4⤵
      PID:3200
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 2 -isForBrowser -prefsHandle 3300 -prefMapHandle 3284 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ec5f3fe-775c-474f-9ae9-60fddd4aa23b} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" tab
      4⤵
      PID:2204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4976 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 4908 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd48a59-447d-4543-a7fb-de33e8d9b8e1} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" utility
      4⤵
      Checks processor information in registry
      PID:4384
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6fece4b-3d50-4c92-bfd4-cff9124bfcc1} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" tab
      4⤵
      PID:5444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad19f743-08b1-4861-9d3c-1218c59d28f3} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" tab
      4⤵
      PID:4508
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5828 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb1594c5-f22e-44ea-ad1b-555288eda195} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" tab
      4⤵
      PID:4980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5372
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\discord-downloader-go_freebsd_amd64 (1)(1)
  2⤵
  PID:5136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2724
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\discord-downloader-go_freebsd_amd64 (1)(1)
  2⤵
  PID:1984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bced68ec5a7bd2fabf5f20f55bae16d6

SHA1
1e39c722e7bd4df6d9ee2de13d396c7fa1bd563b

SHA256
8ed5d7be029b089aec0a2cbee3287e12f700f122121a48fbcaec3ed12a49a235

SHA512
4d8340268d6b4441e405e9e6f68831e73d7c9272c3685219186fce08e88b84c991cf77e189c85a7638a09cbdf7b3e6a8042a90b717db040981c7ad2b27df1ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
59a8c08aba23a47024295cd88407a772

SHA1
573dbeaf4aa390c6441a2fcedcc4f3cef611fce9

SHA256
c1de4df9cb5b5c4bc485a11771c5c29e4a7c60ce2c6ed165d7fa3cd9a110e7a7

SHA512
725fe3669f7039891bf601ff7acfc4f3c63f956319d95931e1b1fc01d2e8a918663c4881ffdc5062ef296620fc55e3b60046b064c08cbced6592e49ffb0fef55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
975B

MD5
1edac865bd5747c73cd67aebb361f6ca

SHA1
c06394e1a2ea2114ff7918f9abc5b09073d5c88e

SHA256
b867ea18f64b28b89f9ee36027bd93f787f3a3036cc9ebe9e776b39c4ca8dba5

SHA512
95fbdd84f7049104c8ede1c3881158f1d28c6820f389efd797b494380bc211c1452bfa8910647d5e4513556a5cf4f210e60b336e244ab5fa334589da7cfe7233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6696b9a03012c96370a622547b1c40bd

SHA1
5913295971d41a35ba15712c954086c53c516180

SHA256
7887edeb99c2d24c3520c06efce76433009e592ba68a899a1ec56dbe0eaa2c66

SHA512
93a4cca8b6ca8cefead73e6936b3bb7c6f36d7d96a158e4a2826e904c899d8b1db368c08da98428b6d833922bb078beebc8986c6110436ef0b4808260bf598e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e07d8eab8ba68cc7f28c3778d4dffe9a

SHA1
dff78bfecab0b2a2b07becec6be9aea6663c31f3

SHA256
b4356755253d703ea53328f49b817fa1329071b8d8b2bc54ed81a558a4e5f169

SHA512
dfa5fd8e070e2919da3c01c8e324afc65134679ad5b9822451dfda60a74b2d6b00cfb18023d534ffdcb915dbd6d47e771c4224abf542c0db960ea4af5301d7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f661e612416affcdcda8ef1150185d5

SHA1
a52ab9b6118bf8f4b74117e182e21fdeb3b6c224

SHA256
54c3375d3bf5f2f0d708477810ca519aa95a2f7ab9c5fee7c51a0339d6896922

SHA512
bded46de8dba8041f7463d60b6ee70f23098e85f3cd7112ff28327f69f9de88e2d38c2d96136e91f5e8ca121b6860746141bd519001f3e5b74b1c82c6282a040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
33e099cbf531e2dfe19994a0a58a4cd7

SHA1
15f77505ed5a04cabce4d9ad69db033f530a974d

SHA256
816d529413e59f029b02d4693c05143b5c36e2a1465e6381aea703e7d7090786

SHA512
3060c6d880e5593e8e90cb746d8bc297638f177b10fa48ee2523952fe2090111a152831dfc287d35c329829f7990e70f2e99169eb2841471cf65159183fee4c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a0f8708394eabc6160812e1be6a0ba73

SHA1
59db5dfb7b863026736edb3d91d644ebc074e19a

SHA256
266c05797cbb422ab46ca2594dc093ba057b485033c7c7ab1817df56595496db

SHA512
0df2efd2a2bd1a0a5b7db394bae0b6ef11303404e8e367c766872cf5d637c8c335861c022ddaee7a8eda8530485186cc29ce94630b7e8c75a58ba3111d5f21b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
492ff9694abb698266bdb04ea68b5da6

SHA1
597815ee5e3ccfe5600a4c77b8cfd98652ee47ae

SHA256
0e8cb507e6595eed6ab615e32846913053cbcc5595fcac03e734517ce122403b

SHA512
e3e9eff8d8e074cd865f5e15d4b7aec08c818ba38ff0322a7b59a6a9e5ead9e3de4a17f12c4524f76aaf8ca120f21322a4a5a538159c2a09a44a24b71755dd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c7f8cc988a94f392c5eadf0ac78daab1

SHA1
4d45b250b645791dadc41c7ce5aa0138e003b736

SHA256
d0e4bd55981e2c916c82a8930fbaceacc60f2a212b3fbf86cd18e4aa4d077330

SHA512
81321bdc06001998c176187d56c5dd93139ef2634ee50de9eb0ef0a7aaeabdfacf5edb78cd5a6e997d68bdeebb880c83345f51e2af2d0601a7f86fb45f839813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
49977e7371bf173994559c0ab2b53bd8

SHA1
3219879f6ce1c13b8fc1502664362f33a5cc279b

SHA256
eeca8befd9a69ae7ae6f633f3e554ada56e9232500fc5f38abf19f4c3ec4a82b

SHA512
10d4eac1817ffffb17129abb8659dfe037bbf616df8a65182cc55f17f70464bcea77a492b9d0098a67dbf2c2ebc972c978c75796915e9d6de62b1b6d5af6f4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6ac50b9bebd03c3da6c5c62aeaeda68d

SHA1
f7f4cde8a644ed514762201b02c0879068e5e24d

SHA256
92d939300917fa9c6358534bbb377bdfb94d37d35e835b487bd383833d0817c7

SHA512
6f21952a22822abb4de67ea17db8be5cf690d3e5a2d90b330def64a137a1bb2148cf925dd76d5f4d6488a0749c48e50693bdaecfcf59fc8dfddaaeeaf3f2ca74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57900b.TMP

Filesize
1KB

MD5
566a14d78303655771eb69928aa2ac4c

SHA1
6d6d14097d5a61bc65311d6f3ea7cfd061d4d83f

SHA256
50cc9f09cd4cd281ace7d02b613667b122e6d182d26bd349aa70dc1da2e36249

SHA512
5b0da16f845533d831a4c8a95b57466ab63ae82d2285246cac1ff5d4dbd4c99589c62a318e96f33be6e08cd27b8405400423c9e6f56cb1a78f6faf7da304e971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6bd53e5425440c2143a2a3343019480a

SHA1
8e9cbbe4f461ac74be34f522d3f3ab758a93ed96

SHA256
d946b50092937c7337bf6af7ee815c5930044cb4e77f97da094f6338d89c8d83

SHA512
3902cb704c8ec055fb7ac992234d81e6786caf2263fca36a13f21243ecc970d792848716845bb80af641ebd5e376d23a43591e69b33a6f6b3c11e365519e5653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
85ca41f1e103bbec2d688200d0ff172b

SHA1
91eb873b8f2afd896f3d2f3b989786e98cf3d255

SHA256
07fea1b6f2a697cb25927251b7aa19500a47f92adde63854bfd52c0d79402e38

SHA512
29f7b55e6bd256d03339cd60470784ac31a1486cb3940065fc6c2f3173042f83d3d8787b998b007b884f3de1a48ef7d32921109d0a6e39ed7175c9fd8bfeab69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f5d2d508c156a4ee3218a383f5682543

SHA1
7d1768001aca631bb35417bf0ccb7115d51d3ae2

SHA256
6746a9e923eea1fc82eb32646054d3f21e7ad8932c26cd693dd2cd0c6c6e82fb

SHA512
09e5954ee6de25a34df2ecc48a21e217ba9c09298208e439288ea493eb5a8148874a2b4310b1f83aa3c8d7c3cbdc54e5ccfd6c3c852b069df5fde37dda07ba76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\AlternateServices.bin

Filesize
7KB

MD5
4b3e0e365051ff5142341fc88071b367

SHA1
e9704b3f766e735a110a5b1085d32a03a8df4fcd

SHA256
b5889862d0613d043f7f4a23f431fb8b52fba561c8449f1c6352580c4ad32028

SHA512
4bb36f0312d6485cd40db685cf5d05784540bca5129a27103a43f6f6966a99b340b0f085cff48822aa1cda40c0b716e8a9dfd8e7d031c740c8e6cb253d456d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d32e3996d18c27f906de3b83e6a84bd1

SHA1
a73d212a74331dc09c34f590db3987db0482803b

SHA256
003968e98143bb02e0e31811804aafc210fd32ad1261e4973dafb875eaeb3547

SHA512
4a0b4aaa49e7edd37f844dd3a106342beb953dbc38c7650903aeeee502e2e764813fecadff7c853e304d72a34fdc46375fa1a92c2e08e8f424c8a1d137e3a2b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1779e95aafbe8758004cf7ffc680cb34

SHA1
c6cc078dd1b31cff642d9d17c40e0241c9781272

SHA256
09964b6029adb0a95794d98493e343170da17151275d2ccd3ee71eff3ae201b5

SHA512
b255b6d05c872122d76392bd9630ae1a28aaca3c65cd0151f56832995eeca1822d1f0c30ac63a4f8574940a1b0d5c1c4065e15420394202dec098aba9caedf38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\f4eaaacf-dd7c-457c-9b68-03cab6e15373

Filesize
26KB

MD5
56df2d36ccdc0853952b6d77b0dbca72

SHA1
c2dfe417e11f9a1fe59840762bfb0fe4e9d37499

SHA256
17d97418619f805b08f196646fc9be4c5bfb754601f9f2171489dd8af9dd913a

SHA512
14c0e44ca6a2b6e6f91f9fd089ab1810f1f6f8e465e5d4f3d20be200649e3cfc03b28e3962909e59019b34fce3cee7ce0e96eab9b913b61a3b40b49814c9ad6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\f64740c8-d208-48e2-a531-7606b552a5fa

Filesize
982B

MD5
35b78c17ebd34b364710020ce6ad8775

SHA1
a7e3930238980af346c61b2c7e84c7c011d817fc

SHA256
0ec45d7c8a2e7edc0feb8e375fde0b2632379eabd75a3e22f15f385ea2e1798d

SHA512
e9de512d3d53100d06eb3eacb602989c733967572175b62e509725c2e0524d24c3a00bd46c53f6565c5f7addf48a396c47d93dcc1f87a728d658a17103fffb8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\f963d6ad-e08e-482e-8ed2-2f08864a8233

Filesize
671B

MD5
73708d3db7a20d797c502f2516e24338

SHA1
35626ac6c0421eac3243ccb6ef3ca6d83c906077

SHA256
1edb3786601680e36637ea23d05fd7505a2394492b1d38883577081d7a9ebd63

SHA512
46755d9b88509f73d3100911466b5d61fca1bdceb12b842241f5e76e318bc382f716f37b2e537f382d739a5f754c17e95e5d2dc4595cb202acd0092e045b26ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\prefs-1.js

Filesize
8KB

MD5
005fd1b371b333a2269dfd2f5ab2e4d8

SHA1
e20aefcb9c5fad42dd5ae65f79b31bf0ee6d2e8b

SHA256
e2058afacf0547dcc54c89a7ebd1b0fa96203f5aa58ad41bf6649c83a5485632

SHA512
b0b02888fefc179164c1099cfa1393423a172b83a541f5509887de9de3b342e162bf319549847aadefcdac97436fb2410db2bbcac4f9290ea6eae90b586204b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\prefs-1.js

Filesize
9KB

MD5
c1cd731b1e6548d3d14ae3d2124e42b1

SHA1
eb01b8781ead5aec25b6af754cf2aeb5d6f05387

SHA256
205f630d50168196d7e1e6cf18a61ff9d4ea0b33ac0269077274cb6f2003ca7a

SHA512
59a995627d99f963bc933d1a873efeca979245beb2d3cee7313811c87d9421c02f450ddf896aaddae8e7498ba119e5d39bd5afaf3df538065fb66cd0e37c9d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\prefs.js

Filesize
8KB

MD5
3a2f860487a3fbafff0fe3727deb7efe

SHA1
7622ada16aaebb03c191b717f94f6dcd652ad773

SHA256
ff928729e406ea8f264e683c918e83ed8ec24c2a57263b2cd170ad9e4c4657db

SHA512
37293c8ab0cec29acc4392a18e0465f760c19b738372240af292d1ee56f12c8d79c6a01637e72cfd4325f80c0cd855b6e0c0d94111d2f182765b6482fd72e653

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
61c3cc0d2baf3ca7175c804260843949

SHA1
9f02f8a8544642fb9592aebcbd14997edbed72c9

SHA256
38756e48f8b0332140aa6ddac919519cf1b83bfdc2755a2d8dd096e500fa0dd4

SHA512
0aed91d6a240a3bf36378c10fad73248238c195892656a4016c0ba2d19fb8d2d1458e21c1ea7c59c683a8e33ee2b737df77d54a6939ea52bebd63ce182c19ebd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 231315.crdownload

Filesize
18.2MB

MD5
4bb1d5b30d3063dfc1c82555111cd278

SHA1
6f030ae70888a03fe78bb558cd91dd87745121dd

SHA256
0b31cbdf343166a70f8e2cf73e575dd04d58b6eff3ce0ecad9d146d51dfb6950

SHA512
c1d95aef5bf2a81432de98448044a82c92c09cb2610c199ec9cc82be5e42fe2d0942031361f10ad4691249ef5b1557bd82c02e601baa16862d4da0a0f596a9c0

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads