discordrat | 689481c56c91f86cf9e6d034cb714e3c92723af3035c00c3c339fcb384258e55

Resubmissions

Analysis

max time kernel
150s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03-06-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTA5-FINAL-RELEASE.exe
Size

78KB
MD5

7ca4d82e1aa342c82da6007947163259
SHA1

7875f56bcbb94747c85a54f8bdd465d866e01965
SHA256

689481c56c91f86cf9e6d034cb714e3c92723af3035c00c3c339fcb384258e55
SHA512

1685a6a2169d1ff6daec4de8c4d48d6035048e2604ff28b4aef6de168785d28c60793d417b9d29bb5e81831c595871f9cdee1aed1eec5f1cbb4dd8f5f746b633
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score

10^/10

discordrat evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0Njg5OTQxNDg5NTk1MTk4Mw.Gcxhsz.QV1m4KTtP0M77UZ2GaIPNr05TtimA7gY4NjqcQ
server_id
1246899988789989576

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

GTA5-FINAL-RELEASE.exe

description pid process target process

PID 4952 created 624 4952 GTA5-FINAL-RELEASE.exe winlogon.exe
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

4176 NetSh.exe

description	pid	process	target process
PID 4952 created 624	4952	GTA5-FINAL-RELEASE.exe	winlogon.exe

pid	process
4176	NetSh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
15	discord.com
38	discord.com
1	discord.com
3	raw.githubusercontent.com
14	raw.githubusercontent.com
13	discord.com
16	discord.com
4	discord.com
6	discord.com
12	discord.com

Drops file in System32 directory 7 IoCs

Processes:

svchost.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GTA5-FINAL-RELEASE.exe

description pid process target process

PID 4952 set thread context of 3628 4952 GTA5-FINAL-RELEASE.exe dllhost.exe

description	pid	process	target process
PID 4952 set thread context of 3628	4952	GTA5-FINAL-RELEASE.exe	dllhost.exe

Drops file in Windows directory 8 IoCs

Processes:

UserOOBEBroker.exeSystemSettings.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SystemSettings.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SystemSettings.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SystemSettings.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

OfficeClickToRun.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717439929"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Jun 2024 18:38:49 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={89530C2A-38A8-42F3-9293-D54761B800B4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

5280 regedit.exe

pid	process
5280	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeGTA5-FINAL-RELEASE.exedllhost.exe

pid	process
748	msedge.exe
748	msedge.exe
1144	msedge.exe
1144	msedge.exe
4952	GTA5-FINAL-RELEASE.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
4952	GTA5-FINAL-RELEASE.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
4952	GTA5-FINAL-RELEASE.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
4952	GTA5-FINAL-RELEASE.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
4952	GTA5-FINAL-RELEASE.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
4952	GTA5-FINAL-RELEASE.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe
3628	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3272 Explorer.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

748 msedge.exe
748 msedge.exe
748 msedge.exe
748 msedge.exe

pid	process
3272	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

GTA5-FINAL-RELEASE.exedllhost.exeExplorer.EXEdwm.exe

description	pid	process
Token: SeDebugPrivilege	4952	GTA5-FINAL-RELEASE.exe
Token: SeDebugPrivilege	4952	GTA5-FINAL-RELEASE.exe
Token: SeDebugPrivilege	3628	dllhost.exe
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	428	dwm.exe
Token: SeCreatePagefilePrivilege	428	dwm.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

msedge.exeExplorer.EXE

pid	process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

msedge.exeExplorer.EXE

pid	process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE
3272	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SystemSettings.exe

pid process

4796 SystemSettings.exe

pid	process
4796	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 748 wrote to memory of 2376	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 2376	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 3556	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1144	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1144	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe
PID 748 wrote to memory of 1516	748	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c222db1c-a5e9-46a3-bd95-9473fa3168ce}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2620

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2812

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3272

C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe
"C:\Users\Admin\AppData\Local\Temp\GTA5-FINAL-RELEASE.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb94ea3cb8,0x7ffb94ea3cc8,0x7ffb94ea3cd8
3⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
3⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
3⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
3⤵
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
3⤵
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
3⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,1044403712185622158,6313267434085581665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
3⤵
PID:4344

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\UseCopy.reg"
2⤵
- Runs .reg file with regedit
PID:5280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3204

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1360

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:5076

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:6764

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:6812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
b0a40f6847934b610c24822c5c1e60b4

SHA1
7a984562d0765a185ab4af0f6b574b326410e7eb

SHA256
baa3c6350471601390dda37570a20a23567c582df132eb0fbe997f36ac831da2

SHA512
05453981b9bd66438c4e707a2763e00f58929f41bc2802f01ba240f3d7d46a6f2a7be9c28192ba783ef42c33d0f1e50766a70edbd61e8c48f299e0da75712a8f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
992B

MD5
2e286dd0367aaf12ac7a61923b48c1e6

SHA1
6757cfcc28a86552fa5d535bd8e2c247ef7b722d

SHA256
d33e3afd37e7150f69f78c16355a039925bb53b624587ef37727f8954c801973

SHA512
c347fd6731e59da059863918e3bafa07bd50ea8f3e6f88ad8837b3301c3971376a0665d081df3d8501ae5538a306a97f06e237e679ea3bd725256cb497307511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c1a37c2e89dd1e0889b44b45f9e59bc1

SHA1
64af4e36d077ed7bfd8bc5ce5a3895006e490647

SHA256
e58b9199edfa315a6b5c727866d0307141e4f7a5fedbc6fdd1761e27a05ef170

SHA512
1ad3ef7d98ee6a99307a352a2ca71b7b709392c4bc266e0ec87e37fdd8e6c42182ad65bc1b83dc4cbe62de3dc9d68b0cc64641bed7adf493928ecc301022352c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1587c8745e697fc070ef7cf06173b6ab

SHA1
bbaeee1cb3f97ce7ce94e0feee42934e11385e3c

SHA256
a58ef2bc7be0aba76c7f41f5debceacadc87699bbc85814f2629fb8823711667

SHA512
f021e851af8cae900b68b0fac041a29312a94df15599d624199dbfd015352d4b98507ad4b14964d7f55aceddfd57705d4a749c46574bd619dbbe17339fb6262e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6087b608cfdce8e368d44d036bfd4de4

SHA1
4f633f48d36952a2d33216d238b0c4751421c44a

SHA256
5dc1445ff5db37ac173d9681651f94c5c0fe57e8b6581b9080e885129ad1080f

SHA512
1b995133cf8422241ddd475fe639b1aa5fdcc032332c2184761d74f6d9c578c6d2fbb455647a5415ab3116b97a499e7fd5bdf21b331743bb44f943cf48872980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
47e298abec158dc123e750d7c33b5f4a

SHA1
908a35c3da59378852aff587aeaa5f7167dae1ea

SHA256
fbe96f322826e4a6266279e9fbfadd95a8b4faaaa28f7c3d8d5df8514ed03a89

SHA512
dc359dfb0f803cb2c668fc8024f6e75684f23bb0d4119f9be8abbc60519075dae52cc85cc164e8285374746479cff5c95968fa37cde9d5baa284325af606883b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
149153057af18bf54307a1659eb7f976

SHA1
95e50564d874282f2a96b5dc5d75ebd87629e6e3

SHA256
cf46e9fe1bf2dd9fb9149f33baddbc437fda013d1ef3764e519e05c3d792b2fe

SHA512
bbe8ad60abdd940c0ee7d368db0c1ca013fc72134bf2683ad7178c090263b9de99e8472feaa9c82ef7d8cf6ba215a215fbbf9b8700469ebbd8f3f1e5952c3254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
38397f47ba4564dcbf58f27447b48c1f

SHA1
ec7896095981af3faf8c7dabe6134ee8f5b97bf3

SHA256
43fbca4dfdbdbd0db0a27124255d8bf5378852ef0db12a20dcf79e1aefa88a40

SHA512
4d3af65dbe41da6a882a80bc61c53788c42f7add6cd064b2abf8de1ec53d801a2e37739701dbc17180974075d05c416c932b4eb9bb8c2f3da1750e4156948da5

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
9KB

MD5
a9c343dcbcbdeaed3df95afb2bf65494

SHA1
5f202bceb81ec2958997afb4c39e19e90fa2a437

SHA256
86b97cd954df7e2e6497cb6728c37dd3d7ab3caa530bb14e60067de19d66ae6c

SHA512
95b601d42fcdb269edac5f60a5036b03cf0ece017bbce3a658595b54ada777d707a83a956fe8ee20407409ee597990900e4826a842854af2d289e6a2dbd10dba

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
10KB

MD5
f0f73e1e31f1e7f8ee79227293bb4ac7

SHA1
ee7083df61045d4b14249a32a488890f68941208

SHA256
728eb5d416ff31448c976e9097f641e87dd3f1892ee923ed56f510ac9d6e51ca

SHA512
8e0df96cc6ad65c27e3d6f4e214b19d4f1f8441d52d4a7a6cfe1f3a3fa346fd525b1681d2657528eb7e966452fe859816e165eed0eaef9ac88d4591911ce361d

Download Submit
\??\pipe\LOCAL\crashpad_748_OEUHSELMDHLNNOBA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/428-119-0x000002303D140000-0x000002303D16A000-memory.dmp

Filesize
168KB

Download
memory/428-120-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/436-127-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/436-126-0x0000026CF3290000-0x0000026CF32BA000-memory.dmp

Filesize
168KB

Download
memory/624-110-0x0000013F1D280000-0x0000013F1D2AA000-memory.dmp

Filesize
168KB

Download
memory/624-109-0x0000013F1D250000-0x0000013F1D273000-memory.dmp

Filesize
140KB

Download
memory/624-111-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/692-115-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/692-114-0x0000023D9A190000-0x0000023D9A1BA000-memory.dmp

Filesize
168KB

Download
memory/984-123-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/984-122-0x000001B9673D0000-0x000001B9673FA000-memory.dmp

Filesize
168KB

Download
memory/1040-131-0x000001E106D70000-0x000001E106D9A000-memory.dmp

Filesize
168KB

Download
memory/1040-132-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/1048-135-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/1048-134-0x000001522B540000-0x000001522B56A000-memory.dmp

Filesize
168KB

Download
memory/1056-143-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/1056-142-0x0000029A1E930000-0x0000029A1E95A000-memory.dmp

Filesize
168KB

Download
memory/1116-146-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/1116-145-0x000002A9415D0000-0x000002A9415FA000-memory.dmp

Filesize
168KB

Download
memory/1208-149-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/1208-148-0x00000293D8090000-0x00000293D80BA000-memory.dmp

Filesize
168KB

Download
memory/1240-151-0x0000019D14C30000-0x0000019D14C5A000-memory.dmp

Filesize
168KB

Download
memory/1240-152-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/1372-162-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/1416-164-0x0000024B846C0000-0x0000024B846EA000-memory.dmp

Filesize
168KB

Download
memory/1416-165-0x00007FFB7D2F0000-0x00007FFB7D300000-memory.dmp

Filesize
64KB

Download
memory/3628-106-0x00007FFBBC440000-0x00007FFBBC4FD000-memory.dmp

Filesize
756KB

Download
memory/3628-104-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3628-103-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3628-105-0x00007FFBBD260000-0x00007FFBBD469000-memory.dmp

Filesize
2.0MB

Download
memory/3628-107-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4952-101-0x00007FFBBD260000-0x00007FFBBD469000-memory.dmp

Filesize
2.0MB

Download
memory/4952-102-0x00007FFBBC440000-0x00007FFBBC4FD000-memory.dmp

Filesize
756KB

Download
memory/4952-0-0x00000278A6F90000-0x00000278A6FA8000-memory.dmp

Filesize
96KB

Download
memory/4952-100-0x00000278A8C70000-0x00000278A8CAE000-memory.dmp

Filesize
248KB

Download
memory/4952-99-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp

Filesize
10.8MB

Download
memory/4952-4-0x00000278C28E0000-0x00000278C2E08000-memory.dmp

Filesize
5.2MB

Download
memory/4952-3-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp

Filesize
10.8MB

Download
memory/4952-2-0x00000278C1660000-0x00000278C1822000-memory.dmp

Filesize
1.8MB

Download
memory/4952-1-0x00007FFB9C413000-0x00007FFB9C415000-memory.dmp

Filesize
8KB

Download