discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1255165018316476447/1255253149036580914/Sigma[.]exe?ex=667c7518&is=667b2398&hm=33809d33cbb516befcb10bbf7b24b310096b724bc8b9c84c921ebdb5ad1a60e6&

Analysis

max time kernel
1799s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1255165018316476447/1255253149036580914/Sigma.exe?ex=667c7518&is=667b2398&hm=33809d33cbb516befcb10bbf7b24b310096b724bc8b9c84c921ebdb5ad1a60e6&

Score

10^/10

discordrat evasion persistence ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NTIyMzg4MDA4NDA5OTE2Mg.GukmSG.gcxGub6ITuDxOUV3cxXT3R61bKP6OmYlr0wc7s
server_id
1255223797854765067

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1560	Sigma.exe
3160	SoundPadV2.exe
3044	Sigma.exe
3924	SoundPadV2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

flow	ioc
101	discord.com
104	discord.com
110	discord.com
124	discord.com
22	discord.com
100	discord.com
1	discord.com
111	discord.com
126	discord.com
20	discord.com
52	raw.githubusercontent.com
79	discord.com
103	discord.com
106	raw.githubusercontent.com
121	discord.com
127	discord.com
18	discord.com
58	discord.com
107	discord.com
116	discord.com
69	discord.com
99	raw.githubusercontent.com
70	discord.com
108	discord.com
21	discord.com
24	discord.com
30	discord.com
67	discord.com
102	discord.com
122	raw.githubusercontent.com
128	discord.com
26	discord.com
27	discord.com
123	discord.com
46	discord.com
105	discord.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7456.tmp.png"	SoundPadV2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpF2CD.tmp.png"	SoundPadV2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638204391812536"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Sigma.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 946005.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
4712	msedge.exe
4712	msedge.exe
4248	msedge.exe
4248	msedge.exe
4000	identity_helper.exe
4000	identity_helper.exe
1664	msedge.exe
1664	msedge.exe
2448	chrome.exe
2448	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5376	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	SoundPadV2.exe
Token: SeDebugPrivilege	3924	SoundPadV2.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
5372	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
5376	OpenWith.exe
4732	MiniSearchHost.exe
1088	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 236	4712	msedge.exe	77
PID 4712 wrote to memory of 236	4712	msedge.exe	77
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 5036	4712	msedge.exe	78
PID 4712 wrote to memory of 3172	4712	msedge.exe	79
PID 4712 wrote to memory of 3172	4712	msedge.exe	79
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80
PID 4712 wrote to memory of 5056	4712	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255165018316476447/1255253149036580914/Sigma.exe?ex=667c7518&is=667b2398&hm=33809d33cbb516befcb10bbf7b24b310096b724bc8b9c84c921ebdb5ad1a60e6&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd06033cb8,0x7ffd06033cc8,0x7ffd06033cd8
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Users\Admin\Downloads\Sigma.exe
  "C:\Users\Admin\Downloads\Sigma.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundPadV2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundPadV2.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
      4⤵
      PID:2376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd06033cb8,0x7ffd06033cc8,0x7ffd06033cd8
        5⤵
        
        PID:1196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
      4⤵
      PID:3960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd06033cb8,0x7ffd06033cc8,0x7ffd06033cd8
        5⤵
        
        PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
      4⤵
      PID:3456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ffd06033cb8,0x7ffd06033cc8,0x7ffd06033cd8
        5⤵
        
        PID:3756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
      4⤵
      PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd06033cb8,0x7ffd06033cc8,0x7ffd06033cd8
        5⤵
        
        PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13112624143736822025,18213744245290821601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2368 /prefetch:1
  2⤵
  PID:5616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2140

C:\Users\Admin\Downloads\Sigma.exe
"C:\Users\Admin\Downloads\Sigma.exe"
1⤵
- Executes dropped EXE
PID:3044
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\SoundPadV2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\SoundPadV2.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5376

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4184

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:5400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5864

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5372

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4592

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC
1⤵
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd004fab58,0x7ffd004fab68,0x7ffd004fab78
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:2
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4360 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:8
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 --field-trial-handle=1808,i,15945165532884344684,10307487929394011848,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
264bdaad340241a462035a0259a95731

SHA1
fd785dacada61fcfc132e6f5287cf243d7c9a62d

SHA256
9ae185de85114ae219eb0cc4370d71dbca31f5bad3ca719ec7d544d753e96a4a

SHA512
df9544365b6847ef2eaf7c70ca3926b788b90bfcec47fcf9d861422f339e934042ace6f2c017940224580cf36a2fcac7206243a9ecda7936536eb870e6ad23b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8451f5e70b685dceb4815f94d980f8bb

SHA1
c3527f49bf3870011b4b3aa836dda14978a5c60f

SHA256
f44dd932b2e5fbeca7b462eec74411544768305c903f1e1ab743420e6ecf05e3

SHA512
e49a4d6ccc9ca66c0aed93845740ea8fbed4a6b0875298e3c349750b86b8892081781459400d8f9a870448ea600db4e47442fe155b028aff26ed93315bece52b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
66d40912444d2fbda542b6be3ebc3bde

SHA1
5425af34b35d47a12101da4f143c6253b9727ba8

SHA256
0b930f9d4312ef43002f385412a6ae212ae3cd6634b9a4cae737c5ecb5764938

SHA512
d68b5841b20b7a64cc7b4a58f094ea648f6364ae3e5f93ba6475e829c4cac8d16de30d8db68b2af49857cc1c31ede53938cf6dab8c5912c6a7b960c925e79dbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fbc30983257043119fe74c170876c8e0

SHA1
3ad9759e410901569ad4260e4e6f28507f0e41a3

SHA256
f893235c263fb4404decf04c677cf4a5354d57e5255b865a9fabd70fcad219d1

SHA512
17a75f933102a41288354b27f1a0be2a592f371568b597ecab79880c5fdfc7be7b67917962bbc8d2d19d383baab7d16202377d94d8cf9f29539fcc47fd9b1b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
261e70fb55d2398f83575622be2ef46e

SHA1
8764fdeab03c3e71cce74be78f0239c326a9e483

SHA256
b9bb92986336ce9e3a49c397d1c53f53ffb01be401ad2115e7a5cd9f6cd40c18

SHA512
3b76a4244f901d89f3f44295f412e0a6bb5a93e3cb7b828b9dca361fbd9c96ffd5ca90eb12f6c48a169821cbfc45cd24f2bb9a64c4990a6653e61a99fe4c4d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5704f22b-cf01-4dc7-a37c-fda95264fb6b.tmp

Filesize
11KB

MD5
9937a3b6824ec3036532f039dc271d40

SHA1
a48e5b9924fe0c8122bee40ceab07287cd4a44db

SHA256
6019b47ab82c0c090cb6f009ecc2af30c4cdd440ca77ca1e7667a37330701085

SHA512
f1d57930db117666bda7dfff812a7f4c928e934495cd98c1f63a66f3ab3e2cd61292d5c3d6711d899d9c4597154cc7590c6ee2ce4b8b2898206d2dfe8eaaa95b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9aa54e0f-5f37-40c0-adef-d986b72006c1.tmp

Filesize
11KB

MD5
0beb7e44abe0e65e1fefb76ef6088ed3

SHA1
a14ea4462afc990d8cd4aecaa44bff75fc04548f

SHA256
d5fe63ce670473c89b85ffcde7b2c6ec7bfe6a536262d1ff652922311b96ac41

SHA512
031d2e1324a93178cfa7ba417edb3dc0a4b0ce89fcd79bb8f544b8d42cc697e6200ffbe5e51fa91a6bc1b6f0523106f100eb21362d9fbc52faf717b5c7b68fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
27KB

MD5
75f1d5724eddb6c481e2e87727c0a19d

SHA1
3cfe079018e25b2646f23e0744bc5af2114ee256

SHA256
751f9ea75e28033193df30031bf3d33e0553e1644ccbaecb26fe7d3bda21b78c

SHA512
a52fade9a438e7896f12afb5b8cccf05ab2cdd71dcc8683ba80001e74800d0c6a6d446d162e75eff573ccfc7106c1beb6f91bdd41753b81a6f5b7510c7c36b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
470b167f6254a0ceffcdd9d8fb75e72a

SHA1
d1010131a7fd5ca1b246a8ea3cf24046608f2b56

SHA256
ca76f5e81f95cf51751b3cd1ed9745865dad10c4b255cb1e7ea3091e9b10ed38

SHA512
b96de0643aa98cbff1c1a2585783bda46d71b8e6fa5de92181f9d042570c6575fd9e058cbbc50c5d2692d028674aa032afa7c83b4cf872282206736d8aa78c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
82KB

MD5
99208edede581a324cf2cd4199f69152

SHA1
179a0f2437ff76f31c84247fd70f9dc03f4f7b38

SHA256
09d53ac9657be50baad84c57f7507b8e1d537c49410b050bd877e0efa6b58164

SHA512
b4be534439c1f8d4f6fcacf972e9346b3547cb9c6f68a13eff2bfd9775c01e93fced45f9216103dec56e84807811db630242d0820b8898f64af741453143cc3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
31KB

MD5
7f8a4f124f314e0f1a6d26a2ad2606f9

SHA1
b10bfb19db2d40eb4ac17735c385493e7dd04c48

SHA256
7bb5dd5ba2a9a34556880c1a064625644803bc44e86914e0185ba6004e917676

SHA512
217479bdba2eff0c329faba1f3c90cb287a716d50c1270617231efd40fc554ff9867875582222dbe0120d0f0325730fa4e43ba76683faea1cb8868e10e0f13f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
28KB

MD5
b428010d1e63888d7dc91920c2135e24

SHA1
7d88aa246f53abf5ad5bb1cbdf940c5bf2daac50

SHA256
7abd2b3f2ce7c0eea015a4168b6818ad555db2202abb0514d5fa082d713e9080

SHA512
cbdfdf274b143d8569aabdd8b190e5d484781f282afca5f4342faee3172b741324ad7cce992be0297430e3be1062fa6f9a8a156a2452f5881db52a8e49e443f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
27KB

MD5
4b45bf8d765a704e2caa4bb095daca76

SHA1
0d7b45de129a91f18d9afa92798c67e904b89a76

SHA256
ae143afa703e92836cee7188fa3abc52ee84af45bf3b24f2a9bf2fad8575d3e9

SHA512
ccb712749d496ff941ac8c026fe854e44234b2111d7683cba9de9aa4473f7b241597e572a9ef9490be68cfd353b3deebcd49af2989729e9e936a8a70c9e0ab98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
99KB

MD5
21d77835dd1621dac2b74488980d4f4c

SHA1
c983d608601256f1f0e6b585a3baa1ec2ea841e7

SHA256
80557d62c82b0c0c5d7f9086e5f5e9686f1d162a744eb0590073f97c0d31e284

SHA512
1fc8d230acc5689d9559b4bece2e5efa13381de53f647d95cd90d7c2cbdf7fc0c1f0a9eeb31b24ca0e6372f23dcc8a84e2844a26dbebd3c38e39d713dabd7890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
29KB

MD5
b65bbafce4e77b1c35c784ccb31ce68d

SHA1
3c35dd7180a45049ed5ca711784228b3a4c4a59c

SHA256
8831b18a93c7949b3e178adfcc9e7a907a3c4dd3b10955f82beaf3c904937154

SHA512
332a45bec58df60e8bf8eb77e626fc0118adad5cc28d495b7dd9d0e49435a441bbfd0719d6f4bb19407a320e1db26e8bf48dd2c9a813a720eb73a074902727ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
29KB

MD5
cf776b128a74f76a26e70ddd68b46b61

SHA1
24c15fb603cd4028483a5efb1aecb5a78b004a97

SHA256
346cbe6774bf3bf9f3a5aacf287f859103045b0dcd4a32839b00be9f391259fc

SHA512
20751f34d1a3a63e580581d36902928c7780dde70fafa75b87e406965f2dde501b9821cd45c824584d1ece21566eb5fa501d1effdfafff0b2e27ec806bce8f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
20KB

MD5
0252b6f8486bb61104beab8aaf14b893

SHA1
acd37e640cc5ca229b2135b382f851a7753f88a0

SHA256
9907708b98b00143045e0ccca30175a5b81499d1f476c5f1ae009bff45287b0f

SHA512
eb9c6df6c94e117bdc848c16212e7660e8a5e9b9ebd2dcae8b2bf176f04f57ad46298337a0d7f6faa80b95e0ec72b94b98a6719e435b4cbf63ee1abb37790ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
16KB

MD5
f8a1060d6f3b75a09c12da96f0478086

SHA1
342339ddad742c820a69b1fde843fb1154b33c45

SHA256
93771314d57ea1697d2d240ac6337215de00ef76eb443e384f2998075491a9c5

SHA512
175e376ab14760053af55e38aea7f5781926619487713e1432aafed510f208125c9e1682f0a1f62f26015e10661bfb04042f28e716609adeebac700cb47fb394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
17KB

MD5
38635533f7a7d5aa860a4b82ed5bbd76

SHA1
0e73aee454c346c1e60a77ea5abe2e542159cacc

SHA256
62c16b40ca755e7f6364dcdc0d98e631fb07e548c7dd565b5df0be828fe0c195

SHA512
9ba56b3dc156c19e0f5df2cae871420ea0f362f2329982354120f08c428019f0202a44df09d121420adee9f793113276a50acf676197ba769705663de570d3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
17KB

MD5
f6937c77e2bf32541479673d03de653a

SHA1
e6841a94ccf06d7aae994d0109cfbb1a1e96a875

SHA256
12211072fb3e415f4dfab909ba28a1a39a1d094305abc2122285845dc32ad235

SHA512
1e958b4b6a8473c9b99c3eac5c839542f0e596fe7dfbbd1f5f4d7ea3319e0d141a1d7b56e940ac136710dfe823ceebcb469ee017dca4bf84e7a4fb1cccfec9be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
17KB

MD5
18444a2fe97b2576494f069ae739d777

SHA1
9105c1da3dd1400a4eeb93a78c503cbc7bf1fcfe

SHA256
9d635d2bf8ca838aa76f3454bc2cc80a4031936d1af3c17509afa6019fbdec5b

SHA512
9208a9540a3004685add1c9861d97a59c5f67604c7bfe444c0a2719483ecbbb34d871108d049ebfb907a764fd61b78ea4096368bb93bb36ee7368ff7decf1202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
60KB

MD5
5d061b791a1d025de117a04d1a88f391

SHA1
22bf0eac711cb8a1748a6f68b30e0b9e50ea3d69

SHA256
4b285731dab9dd9e7e3b0c694653a6a74bccc16fe34c96d0516bf8960b5689bc

SHA512
1ff46597d3f01cd28aa8539f2bc2871746485de11f5d7995c90014e0b0ad647fb402a54f835db9a90f29c3446171a6870c24f44fb8bbb1f85b88e3ade9e0360e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
677d83d6119c1fb49249a9dd2350a1f3

SHA1
99b5adda1b27fc8c5295fa859d9ed1f32ea9d312

SHA256
82659499a5a6f6848edf170091770c347bfe04464c23d69d0cc32e5444eb3851

SHA512
0c3b1bfd90b323c338c7b28076bf8328695e81ce19d5ac9bbefbbd08f718c5ea925570a2bec2b4fa2a1334ce1265bede42f6775d3db42eaf9d92273973b99a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7f7e4a9e1968e2878d97921e5bbdf310

SHA1
eacab27d52f6d6b09ba67e45d792b397f49b0ef7

SHA256
502b0dd7e75f3e5e09827da6d96a3457280204ce754c95184807a39da62faac4

SHA512
3bb8d387eec8fd2ea5e9d46f794f018dee495c8d8975eb48176f87c17d9a34698951b6f8edcfbb07154983d88b28799c5925b24806ce161f1e683075acc2d9b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
560a42ed6ad0cc4c8d42aa0129826501

SHA1
ed0784de5306cdfc049531208cbeaf2e7cf738be

SHA256
7ad0138adeeea6431f6df1fa518b6eb8d3e64c1246c6d9bd224c145a6f60a7ce

SHA512
5d034fdd3a2357378e2b364827e6340ef2deacb6fa829d0cb0160e2ca55ea9aaff1a71035a96ac4be5e5500796503ad4994b689995a8792b1b460bffa8edc5d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0d10beae584807baffb4de3600df96b9

SHA1
448005acdc6db180b7ecf711371feb2c37c85e4d

SHA256
b932223440afda1c6b8524e76e94d7f6a49ad96ad61b7434492da03cda75605c

SHA512
f51d3ad12076c99c8b87132b60de9ee882d842bec609f57e311344043341337231a436bfc65a4adda4a502b6078b4f5ae73c5f38f1e342bba08d2430d1679179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df3f4b2576160a31f3f54c2656254147

SHA1
453a2627299fa1c5e34fe13cd5ecf4d7db267140

SHA256
ceffb6661d7bf81fe331af95db9c2095a191bf3170ec2256cd70580797c693dc

SHA512
e6bdc7411bc1333a719cce14aaf3128263eb033272613323f266db17d0411a0125bb6011840a3c570bd96ac401a376e6a6cf2989d71d1f0613224db9bda195df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d7c49bb140865e8707747e6a75067d06

SHA1
6c02fe66cb7648130965206d3c7f1fbccfa49e5c

SHA256
6359110c67819fda09b9a9cae20718d11632808bec5c176f549ee61523f531da

SHA512
7a4e3c395b4bfdfb8887fc5037c9f9e3ca688b76663a64ea712bd8cd52cddb166f8d4f5fd16af7ed0a2071afa118f0a545f293071a24023a3da0dcaf36373597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
58c72eeaa15cbd037bea469068383eaa

SHA1
4885d8eeed4531eac9bc3cfdb676f49df5159c80

SHA256
09374a9b9db3ab87cc0f84e1b742863a5326f4df9ecafe39164a823c4150c9e3

SHA512
54f51be8f384c3f23de2810976af5816bcfdfd46c0d9e4992596bd1a453ad442f63fc34188a8dbb1a518a69d2aa034f8b9a61a017872ba8ec8a9091533073064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0bea3163c96801052dd36cf726ce4461

SHA1
e856295a6a69e4785d5c93a8696021eea09db97c

SHA256
1f4a92f19b226046396d46bc8fa83fa943acfbc00f144660b75274a942fdad7e

SHA512
1d4f797de6932f6e56dcfd48e870c51b3d49836f88ef52111bcc37ec814f6f11cca52364399f3ee054a4066052eb3b7d73a6c12412e7432fb85ef7f3236c5bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
93d3fb40b06d6b2d83aa43eeea275611

SHA1
7906a2ecd24fe0479cf0ee34035e9407f55eee51

SHA256
36cb7dd6693c51d6c0e5609f03f8bd56d87e0039a7146cff01984f61036cf7ee

SHA512
e34c0f061d25aa1ad4d856a3934dd5d151deb05b9e128eb17212f3ac62b2ea9cd9290d6ee01b528cbdb9ccffd454e8f1de153fe1f269e3da8d294b1dd9a0f5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b87d.TMP

Filesize
48B

MD5
96b0961da1babad36ebf16c82b5de1ef

SHA1
a7b561b123ae90381df256bd959c4326cbe7b11f

SHA256
0b89f320b0f6b079e890efa3a06bf95942bac3c22fdfd2a63db3fb71c2a0605c

SHA512
7482bdd0e90f0c54e257634349a918ae857f17e3dd70f84a7061e8576449cb8b305b8eacf0db63d6f31360d89653207099f74387f979f448b11659ce8a5473ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
7d2bf33dc0826932860aa50969ff20c9

SHA1
9788ab245af9c930c2c02544b678be20ed3799d8

SHA256
200ab4fb0026c764408e6dd1f7060b2d5b0299188360bae8e996c621e425098b

SHA512
409f4aabdc5956657a27b9267acb51c3382a7062e2e035d59450d2615213ee311fd4be8afca9af504201011439e3c0e4aa64e72aab960d2e608d7fe72158c6c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bb1d.TMP

Filesize
537B

MD5
cc5d3bc87680bebd8e00587e628035a6

SHA1
7271f4d1537ce776c4ee147076180fe883e56482

SHA256
c8332652fada5db7c6711fb42a28dddb0b50bcb0b1f57f2c60f926a547dc743e

SHA512
67c3731b9915859b820b7b953e35cda0f793efab123a45013301668c6ee1234af024383701b3b6c839bce0c83bf4251445b8b879d4b20800f132b88d51f4e0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c00ea9189ccb81476c483ea3468a57d1

SHA1
f6478b31836737621667d98540aada73b7a3bea0

SHA256
8955562093e464397f5ecb147e71d814c12d01c1d313b83d2aaeaa20e186eada

SHA512
aef93f9d6e2afd4d777f0d9ef3e0ffeb203b1e8eefde629e7280be5a7ac2543350bd85ba8ce9547db435f7ec2e61196d94a10e202e3aeac9c454cff6b0079ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6598378983fc41579978554b8cccd902

SHA1
0ffe856877cac64fa4e64dc0dda01c76a3d5f207

SHA256
e889256961fc3791dabbb40e2f1b61152c21ad2072f83c352ddb257415e363a8

SHA512
ad68b1fd23f054c6e4588acc1864900bc398aec7db9e33e88102e042bb7f9f0b1f1c51aa9b09c4948d2643c828d341bbf92d1aa374ea80ae1fa9e3271346adc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ed3db85cf12828e38eafb467f3dfc69a

SHA1
46153217db8b4ea5520bad690365709eb6396ab9

SHA256
c0ea03d118137d8387c9d4e609da2e3a043d7427a1579251ac4120369c6ae619

SHA512
75adcce7e8820e8386c4b9536c979ef2751b147539976f76191662d6a732ae7212875c161147f1c230dd993415fb6ca92a8501699cc01d7baaebc0e8433900df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b818f884-34f7-4018-96f5-f96085f4fe53.tmp

Filesize
11KB

MD5
23732de3e5bf65a7886999e057f25868

SHA1
85f3875ce0db0597aa9f2c54e48f149918c16ff3

SHA256
a61035d3dddb96c4ea9b23e1dcddd2f453771246cd4398b3f47269bfd2755f2d

SHA512
b72b5c50fbff403c176e10ecadf852ace8ed6fc46ad0287ec4ba871eda89e0b94472f6929abb8b3ecc2e64fb0467f8d4ae36220ad686797d13791b6da4bce6b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
cf4d76f1a9247b679411a23597ab0736

SHA1
ca7ea2bb3f8f7be7c59eb122cad5b045cf4e9c66

SHA256
552fdfebf5efd5e7e3373b9030d26042a53a28197c2955a8dfa3eed3479c6bbe

SHA512
a21e03a0fb43eb2f50e2ee98e9eee1ffcda02f5e418352d567904c4ff33ca536c938f0cc46aa258bc6df37d34f05799bfc8c7d99a34afba789a2286ec1c47a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundPadV2.exe

Filesize
78KB

MD5
467a0a4e420c4412ee6024df672613d9

SHA1
799c389bbf17589cab3a1cb69027efab6c6b1d18

SHA256
55d75647f41686e7f04dd1d648656aeca8166891134184d40967d130fb0f2e5b

SHA512
e861ecac500a364d4179a441aac0adbac51572aaa2514ce4cc846f64091c93e3acffb2fb638a7b16ca23e1ec558118d4f12b5ad92813e78dae91e48cedd4cd7e

Download Submit
C:\Users\Admin\Downloads\Sigma.exe:Zone.Identifier

Filesize
217B

MD5
3e43202fcbeba86c723a84d204f7ffc6

SHA1
4534dca73a22237163e595aaa59f451222699149

SHA256
c8317b08cc73f965f974b88c4a8fb99247bddf71a59121dc7b1d580aa30ec697

SHA512
7d3730133348d4b45f7d34cb0f7f98a10893e52d14272a5643f95f91024d31311561923ed7de06f63b7044481ebed9a3a8292fe6908d7d25b80c34d438542a28

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 946005.crdownload

Filesize
676KB

MD5
df6b867bca38afe7f08e315a348772c9

SHA1
75cf786586e4a22339e3125a962df569dd74a571

SHA256
abff64bee76b35b88a91b10066fe8757c4778ad209b103967c813e254205c34c

SHA512
0bf93522cbf25114bd4a2d0214dc51d274350425e4a3e587846941794b300c66adbb7f9c98c9f63937b0a9d296efcbe12758f2241c816d584e775450f8f03eba

Download Submit
memory/3160-840-0x000001D2B6920000-0x000001D2B6BEA000-memory.dmp

Filesize
2.8MB

Download
memory/3160-841-0x000001D29C410000-0x000001D29C41E000-memory.dmp

Filesize
56KB

Download
memory/3160-120-0x000001D29BEB0000-0x000001D29BEC8000-memory.dmp

Filesize
96KB

Download
memory/3160-121-0x000001D2B6570000-0x000001D2B6732000-memory.dmp

Filesize
1.8MB

Download
memory/3160-122-0x000001D2B6D70000-0x000001D2B7298000-memory.dmp

Filesize
5.2MB

Download