discordrat | a5bc70cf93aa47edf14165c016bd6a61da1171133dc7951c67b1461321d6ab63

Analysis

max time kernel
1131s
max time network
1204s
platform
windows10-2004_x64
resource
win10v2004-20240709-de
resource tags

arch:x64arch:x86image:win10v2004-20240709-delocale:de-deos:windows10-2004-x64systemwindows
submitted
09-07-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

5b15da23c0cd1d4b2f9d3cf7e97c66b9
SHA1

497124f7098aa603a93ab454f2a543532375fc7e
SHA256

a5bc70cf93aa47edf14165c016bd6a61da1171133dc7951c67b1461321d6ab63
SHA512

2ebe94f3fdfd2f4f85efe5655c49093f9ea1740d52abbdb75ba770f03eb19db4de2f0615da65b604a63a32c2e52d0fc3c9a747de52264146cbd1b2b58f62681e
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+VPIC:5Zv5PDwbjNrmAE+FIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5NjkxMDQ5Mzg3NzY4NjQwMw.GpBG7T.4yoz45TeRMvrDOT9SFSRsnsnYO8NRMIQccrqz0
server_id
1260379272208453672

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built (1).exeClient-built (1).exeClient-built (1).exeClient-built (1).exeClient-built (1).exeClient-built.exeClient-built (3).exeClient-built (3).exeClient-built (4).exeClient-built (4).exe

pid	process
3036	Client-built.exe
2972	Client-built.exe
5032	Client-built.exe
784	Client-built.exe
3516	Client-built (1).exe
1804	Client-built (1).exe
4120	Client-built (1).exe
4620	Client-built (1).exe
3520	Client-built (1).exe
5088	Client-built.exe
1576	Client-built (3).exe
1868	Client-built (3).exe
4912	Client-built (4).exe
376	Client-built (4).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	msedge.exe

NTFS ADS 5 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 327652.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 352307.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 262993.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 97854.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 975237.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
368	msedge.exe
368	msedge.exe
3384	identity_helper.exe
3384	identity_helper.exe
4412	msedge.exe
4412	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
3976	msedge.exe
3976	msedge.exe
3352	msedge.exe
3352	msedge.exe
1712	msedge.exe
1712	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built (1).exeClient-built (1).exeClient-built (1).exeClient-built (1).exeClient-built (1).exeClient-built.exeClient-built (3).exeClient-built (3).exeClient-built (4).exeClient-built (4).exe

description	pid	process
Token: SeDebugPrivilege	704	Client-built.exe
Token: SeDebugPrivilege	3036	Client-built.exe
Token: SeDebugPrivilege	2972	Client-built.exe
Token: SeDebugPrivilege	5032	Client-built.exe
Token: SeDebugPrivilege	784	Client-built.exe
Token: SeDebugPrivilege	3516	Client-built (1).exe
Token: SeDebugPrivilege	1804	Client-built (1).exe
Token: SeDebugPrivilege	4120	Client-built (1).exe
Token: SeDebugPrivilege	4620	Client-built (1).exe
Token: SeDebugPrivilege	3520	Client-built (1).exe
Token: SeDebugPrivilege	5088	Client-built.exe
Token: SeDebugPrivilege	1576	Client-built (3).exe
Token: SeDebugPrivilege	1868	Client-built (3).exe
Token: SeDebugPrivilege	4912	Client-built (4).exe
Token: SeDebugPrivilege	376	Client-built (4).exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 368 wrote to memory of 4640	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4640	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1884	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4868	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4868	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4280	368	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff131e46f8,0x7fff131e4708,0x7fff131e4718
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
2⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
2⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=3644 /prefetch:8
2⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=3644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
2⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
2⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:1096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
2⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=2812 /prefetch:8
2⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
2⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6136 /prefetch:8
2⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5888 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
2⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6732 /prefetch:8
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6820 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Users\Admin\Downloads\Client-built (1).exe
"C:\Users\Admin\Downloads\Client-built (1).exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\Downloads\Client-built (1).exe
"C:\Users\Admin\Downloads\Client-built (1).exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\Downloads\Client-built (1).exe
"C:\Users\Admin\Downloads\Client-built (1).exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
2⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
2⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 /prefetch:8
2⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
2⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6804 /prefetch:8
2⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,17983758295895767974,16144043983947473650,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4360

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Users\Admin\Downloads\Client-built (1).exe
"C:\Users\Admin\Downloads\Client-built (1).exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Users\Admin\Downloads\Client-built (1).exe
"C:\Users\Admin\Downloads\Client-built (1).exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\Downloads\Client-built (3).exe
"C:\Users\Admin\Downloads\Client-built (3).exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Users\Admin\Downloads\Client-built (3).exe
"C:\Users\Admin\Downloads\Client-built (3).exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\Downloads\Client-built (4).exe
"C:\Users\Admin\Downloads\Client-built (4).exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Users\Admin\Downloads\Client-built (4).exe
"C:\Users\Admin\Downloads\Client-built (4).exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
37KB

MD5
27eec7e8f48ac0d64e62ec535a19ed37

SHA1
0454ae16951154ff4d64dc2dd20f780b6da87ee8

SHA256
9107d29b79f5c0e9d7ac88f893e0afb7c672d536b2e41de469172c8b7366e3d0

SHA512
f93033661c1974d9225b7e05543d7efe62574567abf7bdbb982b36e5b0be658937a7128de10376f9e39c20a2d40688862fa0e76aa53b0b8c87b99ee536fbb175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
21KB

MD5
6facc79f6cd8bf7faabef4e10c0378e3

SHA1
d6f21d215eb457509b8dee6c13b1ec4e25fd3b6c

SHA256
94519548151f8ef04815e1f02bb807f9430b31a2259ac1a6f8e27f05c13ac0ed

SHA512
79ab3c5e93f14bc6c16a6140f43f45c5daefa1047531bef1ebe4be2d385f098ee4a711f9a7c7e6077c05be4e760157c10feaa34bf8cf06c263b2435b5f2da37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
99KB

MD5
ee8e217027c1e48a063ed0f9947c72aa

SHA1
0cfa926b047f505a5194383564d659e805ae50b3

SHA256
3e57e100d87a819f22eb8250b1e015d07a7e4e93c92425e901ba06d452510490

SHA512
b9c0b970590af21a4bfd12792b494373744459fcbc86ac4e0b6fd70430f8d85e10145a81e128ca0943bf9fbcc759054f50fd965b2055e87a5590e336d7e54614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
21KB

MD5
3a86c9ae7addb4cd19e8a4f8a52ba99d

SHA1
9b0085caa41927b3421d335e4160748f62611f7b

SHA256
631acbe8566771638d9451c9e2125fb82389b5d01cd5c7a0f8acf5d1f992e7eb

SHA512
c606f70b56eb2a47600b45aafb1cb5431fc25afebd3f7d93dc19bfca1641e176ba2bdb1693cad56f8b0970c3d5474898bd107a87e1729770e1b6baa4c7f5b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0d80f0b8f40a650f_0
Filesize
250B

MD5
33faac300f43e8baf81a32122967f8a5

SHA1
f434a98b472451cea987464130832394cb59b577

SHA256
bcc1c7e7a6340a060d569d7991d498bc7e806a7ab1879c8bf6ffb18b8075d9d7

SHA512
e8555555441f05372f1716cb305d31e5f52190a4991de717d5a2c0dd0de3ac30ec53f018773f06da4a30e061ee792abfeab93776f0001fe935424a32fc16c163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6ec939cf58d038c9_0
Filesize
73KB

MD5
81e23a6dd7bf0ff4980592fd24b892ae

SHA1
5428b2e138c1c8ac0abdb8cbc3d80c3791c79927

SHA256
94820fb3e46c7128d71266e0c4a4bb275db8ed271155e5812330043b1d481a23

SHA512
76cb759bec848345aba6d9b093f3738bb59884a27963e7a941b18238d400130353f12f897d8d817a187336cb24f13ddbf9d8c0aee0b80f819033b12f3cc557fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
b2ef2e4ba04f7e31ba9095b3f2a86be4

SHA1
f67b60954c33930b30f164f493298ad1860c7a50

SHA256
473872a6c036de8baa2a9fd21283be49773818748875f45ee7707f2d00256dd9

SHA512
0e28dfeb32f3e5392ee05411f5591484efc68b399f009f7cff298914c37fe54f094e3dfb593f410882358cbb3b657cec2cfb89f2471973779e50f8fd342fc924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
efb775dadff12757f6ed7344c673398e

SHA1
182381ddaec0a78181ead0d45772966e2d9ffc46

SHA256
543b1fac5edb07e72525367f4e4c2f98a152693ba6f64b89f62a5ca391d315b6

SHA512
4807a44ece5579875b628d98b6b3b2e0d0ea2dda5742be32c33acabc4272cc077d74073f58dcade60d77223a5f8a6766fef7b231633b176d25b122e7d10d7af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
048bcf5c832cf13d8553daa5cd28418a

SHA1
0e339fe81e34311f79f004e2d9ee2bb3bc366fc5

SHA256
3cf0ed17a6c977378b6a24d9c5b208ca058eaf37c52f0df7ac2f2af173b0a889

SHA512
5f7c9cdf6221d9c8a5081601cc0a69eb9cd8d0d5f6618a46aaa156807129ce308c4d861251e8244f42dc8a896ca05b8bb66fb0665823a9f4906005921a48b957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
2e080bdbde0428d130e7f15f2c4a5d50

SHA1
e7e514afc913895f5b9d91f2990361a4c4d8470a

SHA256
34b666a489da739b29d5a6cd2c46e87d4f0f756ec115cd854a0901bdb75baa81

SHA512
1598d5485af551c0a01bee367554ef8feeb766d78ddf5c4abc3d7fcc27ab8cf1b4c374a44d3f653e12ac758304d809765beed8c0c390ae8d71a4c92e5bd4a5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
708d7ad71e58661d529a49995cc73b23

SHA1
8c3d6d7535d040d1a12c30e011ef2160b987a918

SHA256
0d9652011d4a2b15890ca32ce24f3c67d538030399527088176f3a431122db4c

SHA512
8103a38b60ff35d1285311c4c1523b0155362873461b067bef89c8f9bffc6e12805f11891f4bbbf0c0285d7a0637ba116d0115642fab9a3739302a053cddd94e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
235e48fb7690aea717f84eebf37a42ff

SHA1
a0e8c7c1b52e155981a9a6c9fa7614f3f01458a2

SHA256
ac498bf12f4f5f519dd2bbc04e64d69f2abdc3bd2b94b70ea5765451e2bbec22

SHA512
63a48ee5e048ee88794b19c14fac9659d288261af047ff6db50b435cdb2e2b4173627d7898aee7a98a518c62457e2eb2cdc9811be48dc1dc748484217b740950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4363a5009431c5ec7bb0c8e631073135

SHA1
e5b112614b6860823cc90cfa06a7b07cee8c5ed4

SHA256
62839b591c0d7f632f79f6f0adf750e9130dd1795194a82ddf3309e232a9e1ff

SHA512
f8ee7aace1fe08b3b03e5902f011a2ddc2b95799986ab7e8659b3746bd722af0dedce0205f9434a1a45b207254b706374ef521a59a7b60c783115eb27207e999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9db617448037409d842e70d031e09dd6

SHA1
70532648b0384083fe81f583e1387283c38e7caa

SHA256
acba77cef0ed061b8aa0f92be071aac2549e3db9172fa832f16ac54cffca010a

SHA512
1b26e20a6333f0e7bb4ba95cc10836bd9c40dba77b9c2474f31c5b7db74795d75d211c39566981294a17d7d1301ed06472fd64dc1514da901223b103acab22dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ee6e543fb1246c0b8be605ecd629e888

SHA1
3677a4358e67eefed7c4c55c6f50187cea623aab

SHA256
d99e93acdd9f66ba2e7ce5a7ac31c4765abfc187468641303190c5d5d74a120b

SHA512
242fb2160ec04c641c52ba66ecb48ad8a9fb8d20d48f5bdd79ed99571158818e4b257c2d1c23b398b8930bd66d2147033760e46d4d95ae0e745fe36a6d3e9f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
090f668fd8e11d191dd881f87fd436d1

SHA1
49313b3e3fde9ba8283db74e2fd81dc1eb0719f6

SHA256
2482e37d3d2943d9b784a7e606499df18874bd44e324ddfee2683160818a2b1c

SHA512
d27d77c5192ffd5210ae80b2a411a4bcfe3f02f698d1f769f6696029027a421b1ee17b08211b6a7c6134f1a44c6f17cae09d34beb0057d14c007180b277cd9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6be67412e2c02dcc753d92a5f731c59a

SHA1
99e7b75ce9b87f0e7dea073992a6ceb1d80ba3d7

SHA256
2a81203f985d522b5aa9d5ff82e844f63614c9829fea1cd4756a1069e19684c4

SHA512
cc44d40fd9c0d402f6474aed99798fd883a5e6a6487b87816707e0bd3c0958bb054033b83c0bace290b7dc05a11c03309dfd6fb6a23589f0d0fc8f0363856c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cd01c75f6b3ea4c8284e148003b5d625

SHA1
0316167ded32fc28777c01adcd1d780f62095255

SHA256
c016166b6eb964d74077e0e913ead91cb3e1827406affafacde9c2637b93a347

SHA512
be11e08fb9a70b2d9ccb7ee6567f04946242941093ddd54ac7b709499c7a35a5d7e56bc7c4bfb9b95aff7dbe71799057ec12da5dede8f35dfdff8f5bb0b7bf92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
3cd244a3a8e4b92ebfac01eed3972649

SHA1
2d97a006c6843d67d5d375f15419b45dfbdbb5c7

SHA256
6df53666dcc8cdfd03f8b67f5e0dfec383b7290fb0e841b279e649ab4051bb64

SHA512
0143899b4344979dd87fd2138859365ea2f5730507b7b23e99895975b6563c073692e09ebff2fbc9611551af154b3c3b25c4c9d0225215e3f0a9fbed8224bbb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d3dc85f418896e378efbba3c17e482c4

SHA1
63c26229920c0421ba1e9ee95979bc66e69dfedd

SHA256
32f931b38e1ac3595906f27671f2ae81b5d3c9b7a79f92779137af93052d7d66

SHA512
7603576dc73fbc5fe948ba499d4ee5c4b8c15c2d89dede4e45d5d13cd7b54c084e06e4af5f254f083421eb09d4838552b613f65f10e18dc90e4422d195484faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
ec5e6b6cc5e1062073d6cb810a3910bd

SHA1
53079e69c89861f5f4a95317753ecbc4b8ab8a2e

SHA256
1cd20b88680766761849a8f38168ee8ab60c0c8ad882526f3dbdeff5597bc9d1

SHA512
3bf8a2c187e7d006aeb447b433a5658061c8302b0e7e696a2ad47128faed4f5ba86b0c0c9f25b128eeddd8a6c0ff1ae0ae8bda42569925897819a9b49ad357b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
bd50752cb5067551f1881b7c343a26f0

SHA1
34d2f73b1f16f8c84f74dd6b1aff6b3a62d880f3

SHA256
7ffc29af2871f09674fa7ec92fc572d77cefca11993be4184325bbbbb8f08148

SHA512
eb07e2732f70cb70df104499c0e745259ab3e5430d33f8fe9d89abef460e413ba548247cbfb219157cb82186280babc52d8e8d17f6fd4d2ea3589b75f0e2a334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
767aa0cdceb56ed115d1f022cb70c868

SHA1
f62f6c8a72594036f3a32110d2b22b1de1cfcfb8

SHA256
671d8331318ebb057f46f56a6cfb149fcb5b4d604b794fc6e1208987641ad702

SHA512
29dee41e638d25b44513adaf21156daafb3d0b2f19846be629506b2fd56d2023918558fbd5c4ab54126cb00164afe3cd481867de06af7811f7baaa7f463e59a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
e78df801e2a33f9dfcf85b959a04490e

SHA1
1dcceec63fab9fb95640d5bd656b7b9a0e6b0ae8

SHA256
078ddd1be959e474abbfcf39187282a794cbca3199475d613201b385bf0cbf6b

SHA512
66d3edaad0a92cbd4adba7004d2739874a1e53e3c7e10db0f41ebdf6e97f91150580704f5e8cd8703862f609f9589a95c584098bc55b1d56c6414830e8a581ee

Download Submit
C:\Users\Admin\Downloads\Client-built (1).exe
Filesize
78KB

MD5
d98724958d294a6890faf730e15e1325

SHA1
022120cf3b41bf9deb57340d840cc470d48a5aff

SHA256
cf7e761853de224646ae44e15e3b90d06da0f86a6598b91ee42933a5a8b22237

SHA512
210329ffff053e2cb15dc0a7eaf7af398077b94d2ce3488d9367d4a7e9ceb9108fe67c273b8678ab73570ee522188bbb0d5e885f20f3781b6deb7c2c019cf9c8

Download Submit
C:\Users\Admin\Downloads\Client-built (4).exe
Filesize
78KB

MD5
4945f77e7275d80caa0303cc043b99a0

SHA1
12941668ee6ea564c48a3d174817f0eddd3a724d

SHA256
c276577f08b7dd260c6fd0becbcbc23092daeb779847463c0d2d995e90df3bb8

SHA512
2d33dddd40ddab58474e004e75fcdb4e65d83ac24b4c9c4da7a99a53a5b48883af8c7283f230fe359d0d401a0ee364029852566c04ca8becf284db1bee5b2102

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 327652.crdownload
Filesize
78KB

MD5
5b15da23c0cd1d4b2f9d3cf7e97c66b9

SHA1
497124f7098aa603a93ab454f2a543532375fc7e

SHA256
a5bc70cf93aa47edf14165c016bd6a61da1171133dc7951c67b1461321d6ab63

SHA512
2ebe94f3fdfd2f4f85efe5655c49093f9ea1740d52abbdb75ba770f03eb19db4de2f0615da65b604a63a32c2e52d0fc3c9a747de52264146cbd1b2b58f62681e

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 975237.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
\??\pipe\LOCAL\crashpad_368_EEFFWWYCSESWXYAH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/704-1-0x000001ED77480000-0x000001ED77498000-memory.dmp

Filesize
96KB

Download
memory/704-2-0x000001ED79A90000-0x000001ED79C52000-memory.dmp

Filesize
1.8MB

Download
memory/704-0-0x00007FFF06213000-0x00007FFF06215000-memory.dmp

Filesize
8KB

Download
memory/704-3-0x000001ED798C0000-0x000001ED79902000-memory.dmp

Filesize
264KB

Download
memory/704-68-0x00007FFF06213000-0x00007FFF06215000-memory.dmp

Filesize
8KB

Download
memory/704-4-0x00007FFF06210000-0x00007FFF06CD1000-memory.dmp

Filesize
10.8MB

Download
memory/704-5-0x000001ED7A400000-0x000001ED7A928000-memory.dmp

Filesize
5.2MB

Download
memory/704-69-0x00007FFF06210000-0x00007FFF06CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-417-0x000002136DBB0000-0x000002136DCB4000-memory.dmp

Filesize
1.0MB

Download
memory/3516-366-0x0000021353130000-0x0000021353148000-memory.dmp

Filesize
96KB

Download
memory/4912-603-0x000002710AF80000-0x000002710AF98000-memory.dmp

Filesize
96KB

Download