discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0

Analysis

max time kernel
633s
max time network
634s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
4353453453456 5463
server_id
3242424

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
4284	Client-built.exe
3440	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
108	raw.githubusercontent.com
109	raw.githubusercontent.com
232	discord.com
233	discord.com
234	discord.com

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133659839587835006"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\縀䆁\ = "csproj_auto_file"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\csproj_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\csproj_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\.csproj	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\csproj_auto_file\shell\open	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\config_auto_file\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\.csproj\ = "csproj_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\鳉蟕	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\csproj_auto_file	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1680	NOTEPAD.EXE
4148	NOTEPAD.EXE
2504	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
868	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
440	msedge.exe
440	msedge.exe
4268	identity_helper.exe
4268	identity_helper.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
3444	msedge.exe
3444	msedge.exe
4644	msedge.exe
4644	msedge.exe
3904	msedge.exe
3904	msedge.exe
4848	msedge.exe
4848	msedge.exe
2332	msedge.exe
2332	msedge.exe
5152	msedge.exe
5152	msedge.exe
212	chrome.exe
212	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4652	OpenWith.exe
1060	OpenWith.exe
3992	OpenWith.exe
4584	OpenWith.exe
4192	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	180	firefox.exe
Token: SeDebugPrivilege	180	firefox.exe
Token: SeDebugPrivilege	180	firefox.exe
Token: SeDebugPrivilege	180	firefox.exe
Token: SeDebugPrivilege	180	firefox.exe
Token: SeDebugPrivilege	180	firefox.exe
Token: 33	3952	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3952	AUDIODG.EXE
Token: SeDebugPrivilege	4284	Client-built.exe
Token: SeDebugPrivilege	3440	Client-built.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeDebugPrivilege	180	firefox.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
180	firefox.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
4652	OpenWith.exe
1680	NOTEPAD.EXE
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4148	NOTEPAD.EXE
4148	NOTEPAD.EXE
2876	OpenWith.exe
2876	OpenWith.exe
2876	OpenWith.exe
2876	OpenWith.exe
2876	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
1060	OpenWith.exe
4492	OpenWith.exe
4492	OpenWith.exe
4492	OpenWith.exe
4492	OpenWith.exe
4492	OpenWith.exe
4492	OpenWith.exe
4492	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe
3992	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 5060	440	msedge.exe	84
PID 440 wrote to memory of 5060	440	msedge.exe	84
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 4560	440	msedge.exe	85
PID 440 wrote to memory of 1644	440	msedge.exe	86
PID 440 wrote to memory of 1644	440	msedge.exe	86
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87
PID 440 wrote to memory of 1184	440	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1d1946f8,0x7ffa1d194708,0x7ffa1d194718
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1900994678292495082,1433679698692719268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:2404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4652
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\builder.csproj
  2⤵
  - Modifies registry class
  - Opens file in notepad (likely ransom note)
  - Suspicious use of SetWindowsHookEx
  PID:1680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4932
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\builder.csproj
  2⤵
  - Modifies registry class
  - Opens file in notepad (likely ransom note)
  - Suspicious use of SetWindowsHookEx
  PID:4148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GrantSkip.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:2504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2876
- C:\Program Files\Windows Mail\wab.exe
  "C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Desktop\StepTest.contact"
  2⤵
  PID:3536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\builder.csproj.bat" "
1⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\builder.csproj.bat" "
1⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\builder.csproj.bat" "
1⤵
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\builder.csproj.bat" "
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\builder.csproj.bat" "
1⤵
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\builder.csproj.bat" "
1⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\builder.csproj.bat" "
1⤵
PID:4444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3992
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\App (1).config"
  2⤵
  PID:448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\App (1).config"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    PID:180
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bfb4ed7-3a77-4572-b4b2-8064170a1bb3} 180 "\\.\pipe\gecko-crash-server-pipe.180" gpu
      4⤵
      PID:1968
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e6316f4-ef88-4be8-8288-0fb74aa2fb2d} 180 "\\.\pipe\gecko-crash-server-pipe.180" socket
      4⤵
      PID:4604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2948 -prefsLen 26814 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83bd2daa-b99e-4bf2-96f9-4dbd23ccff3f} 180 "\\.\pipe\gecko-crash-server-pipe.180" tab
      4⤵
      PID:3616
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3576 -childID 2 -isForBrowser -prefsHandle 3040 -prefMapHandle 3528 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b837be1d-a86b-42ef-b028-3b7077ad5676} 180 "\\.\pipe\gecko-crash-server-pipe.180" tab
      4⤵
      PID:4424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4608 -prefMapHandle 4604 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d6b1508-fcab-49fa-bddd-ef56fe6fefa1} 180 "\\.\pipe\gecko-crash-server-pipe.180" utility
      4⤵
      Checks processor information in registry
      PID:5700
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 4500 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1bff3a7-f2fa-43dd-9f36-9b7e95ae7d06} 180 "\\.\pipe\gecko-crash-server-pipe.180" tab
      4⤵
      PID:4248
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {303df035-346d-40ec-8fea-59758424428c} 180 "\\.\pipe\gecko-crash-server-pipe.180" tab
      4⤵
      PID:2556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5236 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1935150b-5871-4701-bfb7-9c4169dad5e2} 180 "\\.\pipe\gecko-crash-server-pipe.180" tab
      4⤵
      PID:5160

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Modifies registry class
PID:5784

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:3840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\OutLock.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\5x.bat" "
1⤵
PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\5x.bat" "
1⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\5x.bat" "
1⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\5x.bat" "
1⤵
PID:3732

C:\Users\Admin\Downloads\release (1)\builder.exe
"C:\Users\Admin\Downloads\release (1)\builder.exe"
1⤵
PID:232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\Downloads\release (1)\Client-built.exe
"C:\Users\Admin\Downloads\release (1)\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Users\Admin\Downloads\release (1)\Client-built.exe
"C:\Users\Admin\Downloads\release (1)\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4584
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.ses
  2⤵
  PID:5536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4192
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\{0EF2D41C-6EDA-466B-BCEF-8D26F87781CF} - OProcSessId.dat
  2⤵
  PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa0c3dcc40,0x7ffa0c3dcc4c,0x7ffa0c3dcc58
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3732,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4752,i,8653575627268715469,4501999482348109589,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5712

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
d104701f68e2e227586ef09c89f4bdd7

SHA1
60db9efb1bd601f6ea70da9e6b6e25cf6cd55d79

SHA256
1abf9ce386cdc49f4712f8b4dd0c6ca4b7d26ddfbd19803b3c0b66b2c97a9acb

SHA512
14e8eacedd0c75adb3173c0de1bd90758e151035a79693be677eb0f0ede2136696db997d1375e77587627b2c03c767d0b058a00589c7d2b48b9e28513c142873

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
a50f7ad166b0c1cf695110b21c22c7ef

SHA1
50782eebc06f535cc14aa861c80dd730782ac2b7

SHA256
3ebeb9542306c0726e47081c3b32e7df76b36c90eb5f8cabc6c523707df066a0

SHA512
02303c3bd015fcb5f185f9396f19cb5df05a05ac51ee53588f35b2d6db5f7299f4ef6f6ca12435d0d1b3275c473ef8beedfc383b43317d7987fd46f7c3cc1dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6ab9bf4994c6792a8144bf2a024a9af4

SHA1
3f3c55fbda9cf14ddd9be6fe0b6304cf642f664e

SHA256
4bcd40bccdf948f97bff1dcddcb230dee7d2aeec56e45b940fcb9702df2f56b7

SHA512
77a068c9b1efd2522e8e746be9c44e2bcb83c4d52deb9b889b4746e8cc0b9bd3cbd97a1eb4c39fd07a068889cb6ff0fe6b0d2de6e465e11309aa49eb28b55188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
5de716a5f8e69998c168b473ce28181e

SHA1
607eb1b513063d7cc185a80b47d988d6b28f5682

SHA256
87b8805b9b2fdf4ea46d856aafa0d2b385e890f39b5c030c7a280cb1e62ade09

SHA512
0835dfe6ba53f51da61f8425671d7a91cc9d722bb8f81e849463132ea5f7bad796441183591466d4b656d283b8d9cc7ef79c06955d302b5b76fcd5ce12952343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d32580a00eaf1f3729423e0660142f70

SHA1
f77985cc977173db54a373cb4cad69a1675236fd

SHA256
e333ec743ca473d63993721d2a47395e0464d7337b9257ef34e8a14c9d639d26

SHA512
bc1ae161d84b8e3d175a9a6b525525922cb6d96c325eb9d98c8f13e18fa1ffcd2055c18c2383c288da1c74a3fe01584c059a4b5260692f80092c0f5ffab2ac09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
361d1683eee955d1597827ed3c03e407

SHA1
a65303c1932d71a17708f8ce4f88a52a2199c7df

SHA256
497ad55cfd80975d2e0aa95d0490cc706cfe9eacadf5510999ffc80aa76e657e

SHA512
acc8cb3ad90d9fa5113d4ada9234c2585ff940436659a2ab205a56b8334eae04b54b257e712a6843615158343b3c75896e53a826972953c5133f6f4b8f6a4c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30959418092b49ec6481dc17b23db77c

SHA1
66fa3ff80fdf4f2051dba066722ca61254b04ba0

SHA256
040e859ea344edf38cf422358a7980a8f9c0f62f03d9860369dffa8cb1dbcda9

SHA512
f65ab92f1aa7bebfc90b3511dd140d5a04956882c2103f8780c9ce234ea3f9465e1eb9b10197aea8094af2b80d734df66237399742218243d2cbbe4c0ed14bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
dac30faf52583de0476828707df1d2f7

SHA1
475c96fe95587e286a2685a0916650ac99bd7630

SHA256
1c162e608b59acb1a42d87dd2261e28f4aa095584f8fcc02ea534de30ed3762c

SHA512
adc39a5cf353c6e982f62008a5d309bd01e2cb9b779d03d4bf5153e54dff35b7daef41a83a88ec6f91ec857ee204301c227f1dba9bdcd91eaae5eeaa4e1d1e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
6e58dde0775ffd4514ca4479b783346a

SHA1
525a8606e9acce40f64612475f0388c71a669038

SHA256
54e8566bf023007f8daad8440ff0087d2825ddd03e77077bf9ac2c7a6a87c4b7

SHA512
8d9d46f03fa132c9714886b2db283eeb9fabad025cc82386c43948fecd8aca7b6cabca3d9715a4f2a6be360abcc2e07613f9618cddb1646daccbb1a971100088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
a282c4bf405415585d0d5337a5542192

SHA1
35a679b072f4ea0df61c1a9432a3136ec2e0fe8e

SHA256
8004ac2c4263ce2c80f2957472eabfc181403a12b12c762d6a57e8b0134e7bf3

SHA512
15161ee9fe28999a68cdbccdb18f531043cf76fac7d4df1499e5c8476a854ac477773f2dde09aa22505709a31d49241e141a283aad3154104b7729b1b0af3a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
76d0f127e14ad7ccfd9e00a94b0d716e

SHA1
a0b6b4a26fd5d028c3a664422f00bea08ca38d16

SHA256
ce6798dbffe84c19490ee37a7a16f1f49ae8778cff24ed4e4000641cb363ff10

SHA512
7449c055b3e7164fadf339458c7e55bd289bc99c777b34a8520a16005e7e56239f661ff69f9722356db367644dffb435f4e341c446219085692b66a8f7c2b6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a75fe8a5118a030e2116dd37b399cd15

SHA1
bf634aeb272744ef40265434a1727235a58f426d

SHA256
bfa264de492d51405fc26266b8173a7304b141c7362d8bf6d31e3f1feaade520

SHA512
ca4bfb6a65202dcbf01500337ea0dc7fd9603f1c3ba34863b6717fdb2f47d482172a737fb531aaed8a8d17f39645181c59ddf787ec7ca6ac8b73bdc319028dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cd7dcf0431ca86d577db5004c11427b0

SHA1
1e1186bf10a4192d9fe6ed6c31dff61586b12769

SHA256
ce909341f55afc3f0a4882ad51777f5e933df3590d25475c59f57918b29c5e2c

SHA512
2ddea58290860ffa8401090d29cf998630f954e4da56b090640923412f554b916c9beb335f82cd71b669456985aef5167c9177d9ec13105880ecdbc675942251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
903e5f969ce6dcdcdac7b9c6cefc8ce9

SHA1
2492fa356a31230e77f742f6eb3f3771a2805ea7

SHA256
5abeb271a84615e456c472fedcb6835553b6c05628c86244145731c0d23dc891

SHA512
0f857b384c6b9a4ad569a0e5a1247bf4ea012e890ad3953afa9a37a6923451e90570731100c13d5ccec59dc7569e2dc6dce4580dbfdc8ba765375f61ca90cf86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
74393e6f7f0582727b6cb14765e14d1f

SHA1
c8420da80cbc9a832e7519b3a0a841cd4bbf4f7a

SHA256
340249e707aa42b4ff20a007cfd91fc754ee368671343241832d2a4a5843343d

SHA512
2dca0923e764b2e4d6a545b231bf9824dba52935c0737be5ba60f6f1d9e9f4897fde78f9b3cc35accedaf8ae3e576071bc736f42664c8fbedb910387e12f1b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dece3bb2d8b978f481c588128827f3bb

SHA1
e74b2d373043c2eee173cdc13cb7f9b7e4b4e957

SHA256
d6d9faf58decb5e2dbc08e915271b8cadc35a1c04f8a95186a470a374d89b042

SHA512
c4b64bc3faa798653150b0458f2d3be096ed1481c6caaef35687de97e6047b16126ec8a4b75923a510b4c2b671233fc8fa23a86e8684fb33d0052f22fc14ab5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e0c28a732f843d0601842cea48e4896

SHA1
e404c65679be49e49223ce76eebb5b73f77e3897

SHA256
a28992926d8a0c06b74ee198d5254e216ef47fe9a4a315e4319a5530d491158a

SHA512
df4ead62dc81310321257aadf89a6d39d3b507bb14bab3b8f9f79e871d825855b963bde6c6910ae335d78dc0270310e025f51af22d3469fecbef83181d85807f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7b661ef9e0345ad0e4a92b2c4260c2e

SHA1
25d24b3502aaa13f3362152fde91856071ef0c1f

SHA256
45cae35abb5b4ca6f96175d78f0cae20b42d4dea55006af2ffb46283ff4991a2

SHA512
ee24cda5deaf31c20cb446ffa1c11e788277f06416288afd02bc9d5e041c46aee817945f30d27690f5548cabd0535ac27d8494da0927f7ecbba249e3487990c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3610bb76bd447a44cf4332f166c888ce

SHA1
7a821ad0234e7a2c405693a598acf37e9644f50a

SHA256
b39caea0ed7795820fb32bab87b3f0d64021c6fae918c9389a44aaa4174f2d77

SHA512
485a6258d16346073d3af6a1824ec5b72a0bd9ec9e6efa735b33f4a75e38c94051bc754ee15d2a1dcf71614c4ba54145217f934d49578b66619485ee8c2e61c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a9c422426e73293ba9b8cf128508c4b

SHA1
de8a7bd1c4db5871f6758a4826034098986cca65

SHA256
555a89c9ebb376f7f910bee2c110d03eb2096639b2d070305979ddd0922b9e4c

SHA512
8fbf3a41d9bf6712fb3aa4026ef2df8bf83f90cbc4e4f3e9f06fcf57ba5e73cc85c1604401e9631c20b475b6a8ec02a49a1fa136eabc0a12598f1f48f5a6afda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b0cc7d733ee063a066168fbbbb9d01ec

SHA1
58afc0eab101a17af5cf83d3a47d00b9af0be3f9

SHA256
f85a7f849cb692ccfda0306f5d45cee64172a0eac8d60012267fc89f5ababd2e

SHA512
f410720fecc0294f19d201a96ddb9b4cdf55825878e3c45126e95d5ec3aa026d113f95ff9324d3fb3a9a26ebc94c47549fe268d9396a4f31efa93e56c80c5313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
75b710fe732702ea95195e5b7864418b

SHA1
a8f0ad5f5d030f524138d7db837c46829e539417

SHA256
2420d6a7b682449760b4966cb10a4d7b3f8cac29b614abcabdc137256960c329

SHA512
4dcb75d1291c2cf6a18a1531c4459e663b11ca04fd42258f889976818490ecd72bebdf000109b0676281629db6d29b3918c441bfc975bd788f92fa656ccdcd13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
d418fe16792a283f2c7b4a4fc82de661

SHA1
20952e30540b5ebbe02de168b5f8e837bc2a89f6

SHA256
f8e197b7f28bd4444ef5b3c73431582745e48c557447cc301d06834e3f94ebc8

SHA512
abc3461668f66a6d8d423a17c7f70dd6282cd1086f4bef1d9eddc315dd69d8267559c8862537d500565367389cfac18f5ded6e5b675e8ccfa4ed634988db09c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b8b59aa9e9500359d9830b2e50ee6fd

SHA1
ad6fc363a496fdee9894b19cb4905564f7767766

SHA256
c56968d1d89cac25dfd731992744215296c57c0fbdffab7aea6f2f0798ebdddf

SHA512
8d93d95b0b974c95c0e340d661d551670bd364f94658704bd2016c0b9e89a38d600cd7119953c36dc5b7cb94af5f810cfd75c8649ca1e4311b1e9084c4fb98ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c5b847e50fdbdc802d87c05167fd42c6

SHA1
57b45afd34903f860b9f3e02aa52b9b525009a0d

SHA256
b240b396316ecc3604217b2a72a86e16c71bbb5e4f6cabbbe316ff27cac49f9b

SHA512
3d9ca225723fe93e7a6b08be42f9a0d8fe91df24307df325dc31e065837ee150e6ebf9d659a2c74e51aeb008157f4be789229ed958ca2355b0047ba119ae5a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9f344aea8359ad4ff6a5c1613d877c69

SHA1
073edcbd0cf0122b71bcb2e71b028c987c4fd9c7

SHA256
20818527714259071b3def85f63bbe69a1099eb9e467ce1bcd77d1e5172e832c

SHA512
a1c3dcdd2a7c819c7113e0742f3dd3daa115933d8346001138a9febe8a7b705eab98fec2f3752cda0619957df56a3f23bf4ee17a55ab2c216e277c95e0216f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc7b21b54d1b6061bfd7aa391abb345d

SHA1
4d69f0a0cb9811e9d72f1b8ee8c18704826aa8dd

SHA256
c5eba682e8eb7fb1aeebf1a81bd3bfb97940b934c87c969e6064dfb9fa9abe34

SHA512
5bd265c6ae9711da0f6bba4837a3b75d48d142750b85b4928e27aacb2c268a3b0407c1dad3c7782015fb0309fa378f3efdb2b4c528c5c2a398e602e1e4240da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f8a926520a91f38e128aeb467ca62ce3

SHA1
5e023e8cfaf1ceeb51d3c6ef64c5b9742e4c9c1c

SHA256
10659487772ff91f9a4807dfe0fbc64c3e1e329c9c4e69f2528293407e04a5b0

SHA512
a4b24a3efbdd51c17944a1579c9cf95445b18f249b9fd38f56daa3883631964242d0202c83035cbe8e468c4c3580253ce47fc94d2ae69e5f9cd40aa851781339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
78f6f99f5722a0f500292a05c79f7348

SHA1
e3c4c22c1703dde981e036ad8d7f00f21727edee

SHA256
45599022013cb568418e28a24754ec8309f4dfbdea46d5be2fdef31ff999d346

SHA512
f77e51ffe50cb73377285d59626afb0321ec34a14d4633a923bba3c9541a635f2b30c9c967b2105d9abb7eb0ba1ec21b6878380d3db392aaa96d9c6662fd5ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6eb0c506cc4eae33d5990d97551b14bc

SHA1
d83425e70d1ec36d1143de4522e9eeb7631cfdf6

SHA256
34c9d4a8b1271c075a1150f88b10ec3722c7a5aa19f207d4cdd68b9f78320753

SHA512
e8c1e02139d2575e9497c0ff510dbff98fe82200131703decc2e7f1de3eba18ada8bc6dd985c852f16bcd64630af1ae3760e76fc9946a7852816872a1b3a44a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
965dc296b1e50deb842525745ea485b0

SHA1
df39e26d18dc723469220fdcdc8d770061756b36

SHA256
9fb08f3cecd449fad940c57118182987d4d0440617fba1097fe06a9b1e4f169f

SHA512
ec31ac844fe82da6ae261576194c2d4c740eec9e1af334618d74ad77ee42b0664b6ffe8945b866d53736e9d57c28d1931ab14dc62dd6917a48ae2258b0558db9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58752b.TMP

Filesize
874B

MD5
95441017530a627369d5bda1d9e0bc73

SHA1
01ae75b31093fe8a8ba0c214414e6182d1e70a4e

SHA256
d35db60f7b8ee7d491b59a938732cc036d8b9c88a9e695fdb8658cbaca0a6c28

SHA512
96c345a0a0a28b929dca57b4d01df76505ac3cb35621c2a95e83cc851519f3a994a611824becddd625db6e611907c344063c1df5390c1cf94610e93e33919449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
06c4029391107ecc850c270be334d452

SHA1
5aa59a4e7d578a85628cff08d9f560791bccf793

SHA256
65519fac5a426ff6fa85ce6b973ffe9a8756603e4925f46c81667deb998aef74

SHA512
7745393bdf6294f94d5449cfa998009d6ac06a244414ab1e89ac0da2ccf161ca87e15a18c68ec44ba9aca254a2a85a4bac857f23a7a5e6222dff74150faafc02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c389ce5edf2b7bdd045904eea14b7c3a

SHA1
697fe2e2601579667ad5f1f6d844dfb2a781359f

SHA256
d52725e99626348d26df5ec4acdbdfe008d4251e26bb501da4833bade5fa34c8

SHA512
4d1d56809f1df487bb0c1f7a8450d8fdd02479aa43207b32ebce1f17190735cd8545dcce711d452eb332720c9af660cf3a612d9287347bf0c8077fbd56e83ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cd09e70036386b7561ea1509718b7d8b

SHA1
bc2c80dd90123b6d264738649db86d14b7268655

SHA256
94c35148824a7734320a01cb1d33399aab4b7f077d3cc53fedd6a298ef6b9149

SHA512
2b4b73ad988d522a098992b00ea0683e15eba35ef1b935ec2404cb4f7cb278fadfe43eed0a4b1de0526ffe6dd7f3fe385ef1c3d547b03f27aea0a4f985d4b0c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
508781501c6959dec429dac9841c55dc

SHA1
d206c65caf0097f06f5116abddbcc4856ad731b4

SHA256
4eaedae0cee41a0f14a26af074c9c878e1a1eff2af3479bf20a149a80907c8c4

SHA512
c74a17602c6ea3c7e508f342a173d4dd2d7f87079c25d0c7b3dc7f810d8747ac20a6b746c3081199f6288bc46159451c0d046c565c81ea3554945dccaca2f355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6e9cc91c9b5a445932da2cd67ca24abe

SHA1
166d57074005ce1b7f07cfe86e7f6224afd80366

SHA256
e87fadd92dea7b37fd31535f330005206ef163ffca9c4f8f41362e7232f8ecdb

SHA512
d1acda7fec8edb1bfab30a1ec537a012d941a105cf2dc240c3d9433854990bea5a29463fedd308dbf21ddf84937c6b05522f7a837c95b7f58ce5abe532b3f8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f70f4716b9e5e9fd5d9936a8e02bca7a

SHA1
a2e267a299a57d56335ddda77c4967a11da50f30

SHA256
456735a1026d9c139db5889e991722ca2d51c3190f5e484675528aa60c94ac18

SHA512
1bd12bb1870183bd32332bb4d3bb4cdfb047e9a13e162995aac658ebef2589650a624a3b724d643f4b518b032b58f2e2a857e12f9c232e9c371dfce42028957d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
2ee940fdcb100da3442f72f0b3978eab

SHA1
2007fa8aebd9322505c752ebf32b5abd5280a987

SHA256
5c3dcd9f72040f776c7700d1f34b9bf3b99a176c59641f8304ad30c1eebd4703

SHA512
52e0a0480599543d29fc64b1436487e2f7caf3d48d5c9b21d313432a55be0798d424c6e01d0a837ef28aad16f2e2fdacc1ecaf0400c907e918649cebf2b0ee83

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
45fbb7ea8116f48edcd0295f1bdf8aa0

SHA1
d105e4117f00c56bff616d56f194fb6f5aac9fd9

SHA256
6ff423eb455b170126fd55f3836acc3421618a98faf4fd0f91afd14d2fe2dcc9

SHA512
e170960854946aa8079b24366f0e8bda8846d7688d28d68e7ee5bbf17ae50c2802467277b876d9378118515c6c01457283e1a22356a0836881e415e1a7db641f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
5cf561c4f667cac7290d322cb5bd0a1a

SHA1
4425c13034e815d52491a25b763a55a60f0b4e34

SHA256
7c5d7b9c1416ae574d9cc072c1b6f2de987f3326b8ae22a1b747c72632c438fc

SHA512
5ea91623bc293b290f2d644462c5223a6787ccdcf60de73f2011885547c0175f5745da4b8a203978dc80e35c67370792fc1628450e2f1db615004a628e05ffe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
8ee3b106a3f74edbebde38881800e843

SHA1
1d2a49eac7b2b61727840cd9b7b289ea680b48df

SHA256
bde66d9316008a0714a77e0350ca4e2b14f14bddb83eeee9bd4b0d7fea92353f

SHA512
089d4277618d958ef935b11c6ec3538bf6aed6dc127b809adb6a7986bd0fef5d3fca036000b8ad04030d20a62fa1eaca2b7bb197b4f8495e9f6847a6fcf8e55c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7AOPYF9K9T2A2TOBL77.temp

Filesize
7KB

MD5
aececcd74e9d60f4c1b7c0577cb51cc8

SHA1
654569f6d2fff22b9f219216e410004cd3f3e6c2

SHA256
4b924dec6c05b0fa2a3fdd2ee599d9e324c4d607fce7759840e0fec1a8715b9e

SHA512
56ac48289c209e9ceac41b824dcb51c85b8605b7d1802f311d0ac4d9927fac591803c10bc47833fbcd479d5ff611cf349eb6d53bb9ea126690db94c2b60a0770

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

Filesize
8KB

MD5
1129c0c67f664528faed85d0d14e699f

SHA1
c58b2fcf0a3853a9eb2049ed8ce833baf2c47ec5

SHA256
395fb492af61e16be631683bd5a8764c9968605279feac96bfc0b3a994c15899

SHA512
2c26364279cc2d2417236e04f9b5b30ba71ebcc8d5e0a02dde0b9a0c8e99476005004d58fd5d51d77dae5f9839a61f183197e41b6827feb9c38cf3516bff1653

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
81f4fad5d394c8f75fb487331fee689a

SHA1
93cd7b50b71af4dc950e3e40ec4a91a952b06426

SHA256
493e9c560c51115432dc9d5fe9f0aae6c673bdecec1bd28786a72141f4ddbcaf

SHA512
605cb513ec4796f6c5ba699c49a806930bf38930c77fe2ff0108afce6e0b9b2a7ed644f4cd40419293b060ddeb4f9b8f787d67ab3f36af139659c7454ee5f4fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2c965a2d01abbfd4d0fb12028314b1c7

SHA1
d25d9c04e89fda19f6ff92f3b309dbff8017c88c

SHA256
2beb8a4ac097326c3c88031948cd376dfc8a4a6cd9ed30b8bb7254a4a8ea6da5

SHA512
cd79143b354b62db0a5aed2ae87eaa6b9c3dc1bd666cf85e636d688b1eb9ee4a99889427ec1a4090925f5788f3dac38e69aab1c51b432d6a14b5557727bea028

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
e2cd224ec87ddc067733967a78a6afa0

SHA1
1fc229d039eb5914fa550ce2759e3e62c70eadbe

SHA256
7015fa39042dbdcab802a54a7f42e8fe4ee89578f1d8dc4454808dba5538690e

SHA512
afae9f05b3fb9e639c6ec15b7b41e78ef325a5d7aeab821a1e12f8a281f840767824c0cb52261b3d8d75473ec427723d74ca9f1b30d1ecc39026f83c3a48d667

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\42b39268-3325-4878-8805-6242aadd362c

Filesize
671B

MD5
e4efd1f06b76b50f73eca4507b70aceb

SHA1
653cbb51c121d0415ce3c919f4c95064cfeac7d5

SHA256
4d402c8781ab74cdd3144c2b25a3699ceee0901b56215dcbd307ba7f96296c85

SHA512
db0f78025e50ec93f48d721ea82f21973757ead870513b883041a37a13323afe95728c68b097e126629dc14ffa046b64cc9c530202272ba828eab3a0c9eb0637

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\ae11723a-7573-44db-b457-7c097849c868

Filesize
982B

MD5
c5fcebd259432d9d66bc9909653d3ce9

SHA1
940dac50a14c223bb82f2efd809d33369503fb22

SHA256
91c07ee69a689291a86440daa6866c45d18b433fbe45e1863348c4070c1cc5ee

SHA512
b8ec67aff26f4fddd58242e7b580598346e7b699a064120a8535d9ae0cbd0a5bebf5988c49a43690e751ed363f8036931ca0bc3c1b6c9f8716bfbc93de6f9702

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\cc434106-dea2-4002-8179-9aaaa201a2d5

Filesize
25KB

MD5
4a9e90f3b559519253e8b25156752de6

SHA1
98674341c9f5c4c3426e9c076dfb16bae68fb1d1

SHA256
87e18f2d4c5c5d30c650007beb09a4faf000551b785157dfde2c9664f0abea19

SHA512
65fbaf54ef43ce239125f606e2c365f80da81d926a31f19a80eb621789dbfed7fd62ad3a745e78d3d8903939d4c23373f137751647b26aa8a8005cc08aada46c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

Filesize
12KB

MD5
be9abd18c33cb3c50ff1a267040aadb8

SHA1
f67efb76abe6e92698ed3af6bc460aceb6764813

SHA256
3b9cbe1b01fb175e66d46047e671093fe7ada01f2a55bcced93e5c23281227ff

SHA512
66f72d85ec95899e78449766cf4cc45f216ef5ecd9dc66a963231d852b79860eda0433683a57c8cb3f35f7469838e8b5f4b692ba5e885f1698a7a7c0151a6859

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

Filesize
13KB

MD5
d839ecc294b588387da2145f978cc2c7

SHA1
97ba0797136f170740435d1c8f51da965147c327

SHA256
5177ce35816fc0df633d7430bf6bade382263367bb4d442cce657aaa946ec164

SHA512
81f3d64e2814f17375183d57954858f9582b090986418383c638c79274eb03c554077faa43efe926e60e41461e68ab3626c2e26ec1c75419186660745a4d2f23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

Filesize
8KB

MD5
8e4415c3eeec5b36824c25018b48c032

SHA1
8107957f09dfc564b375d78c62fd3435a5575136

SHA256
db62ce4d22afb65643491f4b3c27715c19d5bc3cf95b5af27911819d1d2276aa

SHA512
8f946c8389e24ca20101339fa6f2028e85520f14b01e39c3569c99154c0f784441735b0db68b1c12f105c6c22cd3a2fe91a50dbe98a971f7e377da76644ec908

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
560KB

MD5
5626535cae85b2db3bf553bb5be30f1b

SHA1
516082c6baf0777d6c1d31dc9a7e3cb7ab61516d

SHA256
7a79c0a26b7c75ce77855af5a29e613acbe1dfd4bd3ccf31695cc4aed3f85a3b

SHA512
4929b1988ffbc48560ff2349743589e25f6609ff96745294c1652daf902f93e10c6845f34f5d56eaddd6195975682eb853efc71ff4ef9e42f19c115a1ba787f3

Download Submit
C:\Users\Admin\Desktop\5x.bat

Filesize
186B

MD5
d9c681073967850f122a204dec3ea5d6

SHA1
1ce0b95ca1fb4856f7ac8336bbc232abb97a43ca

SHA256
6480f4b1372152e0e5cbb76b5d6f3449e6bb1850cfcd3ff394a17601fcbde316

SHA512
7cdbf65b5790a89d4c3e8bd0f37b9376eb5ba1f89ef683c92382372f3d4f4516647128bf1f87ef372de6694d52fb7dd6c537c2a0f48c19685e2d3e6674009e9e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 57115.crdownload

Filesize
184B

MD5
ee3b380704607a4aef7315173e27ac62

SHA1
8dfb6d2d660072056a0e6024271fa56f0d0d011b

SHA256
8173d4d17cb728e6f2c5e2ce8124ce7eb0f459dc62085bcaab786abf1f6b37a7

SHA512
73f823ef1526003eba3a7e1e7e6788fd5d0de7dc98afc9b3ab2b8eb6bb4c04821244d2e42870f9cf86f5e9f9804c39c4b8c37ed5ec269f1d4b2ba356f94dcd9e

Download Submit
C:\Users\Admin\Downloads\builder.csproj

Filesize
3KB

MD5
10a1f11d698d71c3aabac91658388aca

SHA1
ed75cbb133f704439a40525fc7a876f8b58ae9e1

SHA256
c9f70f72109705bf10a2c6f65abe8e4c0d2e8a3ac875f0158af48adbf69802d7

SHA512
aee7245b1730f4a937ae03d7b056e693caaaf49ff7b8212e2598d380eb93907ba6cfaafe1b685f19d97b0669d0b2f94c0ce26f7e454a629267eda927d2e4193a

Download Submit
C:\Users\Admin\Downloads\release (1)\Client-built.exe

Filesize
78KB

MD5
d4542f731eff4b359f3253fe6ccc7dfc

SHA1
20e85d5cec969e8bcc93770f52e471872f25b821

SHA256
d805d9601499c420fdc413b6440f860cad29af294765ea7d51dc48b1b0a8ddb5

SHA512
da561d8d33304a679616f2db23bba335b86d91e69af6e995cafb59943b13838cd8be8b191938254f6ac6a7e4651fffeeb44c3db9f2224f8b904eb5065de015bd

Download Submit
memory/232-994-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/232-993-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/232-1618-0x0000000005C20000-0x0000000005D42000-memory.dmp

Filesize
1.1MB

Download
memory/232-996-0x0000000004A90000-0x0000000004A9A000-memory.dmp

Filesize
40KB

Download
memory/232-995-0x0000000004AC0000-0x0000000004B52000-memory.dmp

Filesize
584KB

Download
memory/868-893-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-864-0x00007FF9E98A0000-0x00007FF9E98B0000-memory.dmp

Filesize
64KB

Download
memory/868-863-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-861-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-860-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-892-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-894-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-859-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-891-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/868-865-0x00007FF9E98A0000-0x00007FF9E98B0000-memory.dmp

Filesize
64KB

Download
memory/868-862-0x00007FF9EBA90000-0x00007FF9EBAA0000-memory.dmp

Filesize
64KB

Download
memory/4284-1625-0x00000285FCE70000-0x00000285FD398000-memory.dmp

Filesize
5.2MB

Download
memory/4284-1623-0x00000285E2070000-0x00000285E2088000-memory.dmp

Filesize
96KB

Download
memory/4284-1624-0x00000285FC770000-0x00000285FC932000-memory.dmp

Filesize
1.8MB

Download