discordrat | hxxps://mega[.]nz/file/ZDkylJ4L#uFQJfniJwSAoLUT4veKMPjh2OYR4FDKQx-2sR7i3_VM

Analysis

max time kernel
299s
max time network
301s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
22-07-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ZDkylJ4L#uFQJfniJwSAoLUT4veKMPjh2OYR4FDKQx-2sR7i3_VM

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NjkzMDQ4NTc1NDcyODQ3OQ.G33D_S.w3Mpp1uOefdSmku78zjx6yVGxdVHtD_V8Xkr38
server_id
1241777458810982452

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
248	Client-built.exe
356	Client-built.exe
5572	Client-built.exe
4324	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
3	discord.com
27	discord.com
54	discord.com
57	discord.com
61	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 671084.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
2640	msedge.exe
2640	msedge.exe
4992	msedge.exe
4992	msedge.exe
4932	identity_helper.exe
4932	identity_helper.exe
4544	msedge.exe
4544	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
3876	chrome.exe
3876	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
2640	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2064	AUDIODG.EXE
Token: SeDebugPrivilege	248	Client-built.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeDebugPrivilege	356	Client-built.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1256	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3576	2640	msedge.exe	78
PID 2640 wrote to memory of 3576	2640	msedge.exe	78
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 1496	2640	msedge.exe	79
PID 2640 wrote to memory of 3476	2640	msedge.exe	80
PID 2640 wrote to memory of 3476	2640	msedge.exe	80
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81
PID 2640 wrote to memory of 1060	2640	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ZDkylJ4L#uFQJfniJwSAoLUT4veKMPjh2OYR4FDKQx-2sR7i3_VM
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3e123cb8,0x7ffb3e123cc8,0x7ffb3e123cd8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3284 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4292722988040383153,12032589667353046384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1344
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb469bcc40,0x7ffb469bcc4c,0x7ffb469bcc58
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,15483188125900869677,848774451252597615,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1624,i,15483188125900869677,848774451252597615,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2092,i,15483188125900869677,848774451252597615,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,15483188125900869677,848774451252597615,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,15483188125900869677,848774451252597615,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3624,i,15483188125900869677,848774451252597615,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4896,i,15483188125900869677,848774451252597615,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:384

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5504

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:5572

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9385987d-6cbd-4c54-94d0-9396ae7e6eb1.tmp

Filesize
181KB

MD5
8d303e0de022446bb888464ff2823ffd

SHA1
26db68e4e39c578e0b3172dbfc2227bb19b522c4

SHA256
7e096fe4aee4bf16c53b0cbbde460a58d4f5078eb5cc0fee511cd113fe7c0406

SHA512
c93d5742cda2310f2c6926417a9e9a7ad32d9b854ee1c66bf4582559c26e43cb0fbc065ab4cfbc693b941d5767de35375264c135617ddbe8088f16511e415b92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6a8eddfebf80c04c8766334b91dec430

SHA1
b212b8249961e6d6b154004f93bab10ff299122a

SHA256
c6fb4d30eab27eaa8b4ac1aaed6ea01cd35b7043fb4eb0f74a64c4bc184cd160

SHA512
0a5c3c892e5b38746e3ba039ef27a0088924c306537fb203de6028e2af43bb1c0ceec5091f30d26f3b40848611e93096d2f72953a15a5236406d7bd58c19303d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
be769699563096fc3a1668cfe74ea76c

SHA1
0efa7ee2fc841f01e9b6b0cbedb6e12bf368210a

SHA256
d2cbb53e0a59a4e6a08f1ed96ed34fb6ff6c0dfc39bd7f05ff9c87af90523b47

SHA512
66583a86dfa2ea160014604c500ad19fa28f9bdefc5e7a3db6107a43ce36116501a47d2c19dda2aac522642e1d850b5609ff72fc27f290caa7a2481ed6bba391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46ac3cb6394df673e110c4e6132b3eb6

SHA1
38f9d3306e01f5f244ad5a566714adcc996ea3ff

SHA256
a14b85ac67faa513131c0367ff1d2baa5a29b374a6a0ed641caf0cc910fcd8c8

SHA512
54b5210a7069c252cc4dad497687531bce68930f5f151df4442bcfe2b8adc48293297d78749b34ae8b899d4380b36754f0f324a0ad978976b4f3a3994efdfa53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
62951a2da4835eddc79173130554662c

SHA1
e4a4b0cb37c0bab4c4f9aa3add6ecd80f5609153

SHA256
b4ced565deb90e34955fa1aef4bcf1e0d9b880ebae7b32dd929b626db7cc7c17

SHA512
df54d64dd2f946ba60cb8196e4fcd5f72dd4ab650b0250e02f9f69923f217c6b10140c7724635f2403656fb8a495645a0e6d4b3f261568959d72ace9d4fc468f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8216583be02c169005a7832b498ba02b

SHA1
87c06a89565854a63a2677ebca15c237f42572ba

SHA256
148427fa7b43cbc49275caa2dc2ab45bfb536160011d6561d3621ceee68e2441

SHA512
100a108455c198c6125a504aa8737e56be2b1fcdace89d5992a34b26d3acfedb4db6dbc0518546846e691439d027e92015310376921d19a173829f2b3eb135a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
064ba55b5c2f42b00183c1f8fe6f02b9

SHA1
a1192f82c49882388ee70b0585619876360454b3

SHA256
d7d9efebe9f8daec32b86906f5f22d13e6359f69cf08832b406a230ae2946446

SHA512
5212851c8a3e9135dc782f34b515e50e2c42eb996469445a24b3a3b118127175d5f9b9164ef33017d9b48f275c29af9b8bab262180af44e1ced2ed203cd98bb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7089674e8b9b337744f4ef6fefc96a2e

SHA1
d4cbf47ab82665859e4a6aa4110a0526c8198d9b

SHA256
07c29876455d8c83779a1dd96e443738c6ffdfe7b0bae9654e9cbc9b98f9456a

SHA512
1cc6fbd45897a328f92fa8a7ba944cd02320f04cbeafe028c523e1fb7a561beb03f7044f2056189ab01c33c8fc1fcdf673e94212511d1aa0d1f33566d69f6dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2456ee60a176faff1eda88e828515ceb

SHA1
94b1bf9858a8e41f100d8d942f26f469f420652d

SHA256
e8ac13cfa9d7cbabddd58c715155f778f5ccb1b219e571023192eff3cc53d0f0

SHA512
75db3c1fdc152fd62b1aef1bd406a059812f592e373b1c4e3a47ef9c8c6e47034670bc39bbf8b5422122b70e40251cca955ca29d182fa7ebcfe96852559521e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d0dbcba39cd934a095e7fb839e07165

SHA1
2b09ecb278c9b060a8b42dbf41570621530912e8

SHA256
801150670b3ef35214a0453782a7e3b888d0fdba7da1f577a5c2bb2b77a84294

SHA512
a0a83bccf9fc4de06cfd624c8e50d91ecca6f53eeb33e4d6e7b185aab9716781a2788527b0e3630d89e72ec73fe88d950cde89795e40cb5aa12921539d6acee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0c306af11637abc44c9e0f7360b9596d

SHA1
bf08fe3099c2f80f2ccaa59066d3530e8b809235

SHA256
c3c1569ee763cd945c77d7034a11f8942267a5c4b724125ae2e18d25495ad663

SHA512
20c7e55122c476759f9e75ec33cddfebac6aa131cf33167bcc266d08d6ecfb61c9ab17cadb7f58a2f05df35075adea02a423c71bffd143bd6e0ddf39b362a0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7bbfbe1fac7c0e887aa296949a5079db

SHA1
6ef97fc46780c1e0ac782c215bff19f48e3ab258

SHA256
9f26fb562a82225a96da5bd1790ab2008aff6599fb6761d2a3bf658123ba98cb

SHA512
875ffafe471191039a5e4abba7f02ac218d867574e1ea161120f9112afd032a424693792aab1321b2667efe79b45263a9f97b7002d2736de59ef885720e5b55c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
8a3f9515e1e945b0aaa17315c4dde16e

SHA1
7470ece9aebcaa8baa5e67614e4ceae953961f47

SHA256
2e648ecde7fb6f2a5d0d57adee2d21932e07dad13b2df2428339b6e876538c41

SHA512
cb4f2759a6baa45d9776d40de0353595175f6dfd29f92c930da09b60b41a7bf724148612a4bb832796795e1f3972a4b7f146de17c4558c09b015f7bcf0b9a731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
afe63f44aa3aa9393e4251b4b74226e3

SHA1
29eef15e4d60afed127861deebc7196e97d19e4a

SHA256
7787181844d106768f78847869b5e784f07c1b65109d59b46932979bac823cd3

SHA512
f0f7951b5d55c2cbb71add5ab0c2ed3617a6fdf93f2c81ee9dd15d9f7c67881b42cbfd97cc4d2f17ba8a383624b23da1897fee069ddcee34233c1f625062a1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b0c53c5fe6ad2ee4ffbde1b3384d027

SHA1
0c9ae4f75a65ed95159b6eb75c3c7b48971f3e71

SHA256
2e9fc3b050296902d0bb0ce6b8acc0bb54440f75f54f1f04ae95c9956108171f

SHA512
29f62e085d685d3b4902515790ab4f298454d0f8d53b6234fae9f9a0edffdd0d4edee57261e8eb0b94a4af8e86d3f7ab8b044c6f259576b89f91183002e58b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7d76e3e936c36bf86fe978fa58fcf165

SHA1
cb8927cc215b0827b444738ea95bd68a71204ba1

SHA256
6000715adf482ab83a2b581d27f5ee0a8dea98f87877fc2ce842ddfca70edeb4

SHA512
b31b02cb6b94b72ccaf332331424c87206cea387ba4c95518f77f4793ae2ff6e93c5c5e3f043bc1243dcb3b56cc56b00336d3a4809a78aa1580dae41e085f8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7abb66fded504e2458f7730a1abab4c

SHA1
eba78bca95f38e4d0457cb7297120171f433cdac

SHA256
3a13b65c4596ecbb54d9147a7ccd0c3b0ccf13d8900a842e9e858a77d452998f

SHA512
483c52dde927c03db32ad4ee504173db883270ab49b1879b75beb740f62ca402f6eb4fe3c437c8ffab4fddd8ec5d76dd5f124efe40256a3799a4cec856ecc218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4964c5e3b057cbae01f9a91221438ab

SHA1
87ae859219b1e2097d5f0a26538f183d127396f5

SHA256
405a585f0ddc1d642dcda047d02544ac63f0fecd15eeebb09552f0722f0e2c96

SHA512
d947b194689b3c9824d5338b5a3541e7438fe3ff3accfe9fd22e93468a7a08b4224b57cb30dea93289c650788e28622893a20d19ea52d6134ebafe9af3b1139b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a6a9027133bb03ede6e517026bba1fd

SHA1
e5119a8d901bb1d22d0d54dd938452f53d4443fd

SHA256
10c7f0a6a34909ae0e2af7c780051dccd06ea2e30b6382c50c9fa00263c9bd6c

SHA512
19d5fcb292ad29da17d790f06268d470b8f324784b7a18fcd42b04ea4e3065d435b5ffd2a5ce3dd906f26e2508ca4c9362abf350579dbdbec0ecbed0b1b64674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f68fede14382b59d5cd3335d270ed614

SHA1
6b42145d1389560374a2f5a637a12636d6d043c4

SHA256
b7b53bd3cf75a548b496a9e305976ad2ee168186bc991ec933fff7e52bb6b9a8

SHA512
44f17b84cc7cf84de4648e4139740ae6269a8c4f86f581d452ade92052ddcb7bfbef03925d4f43ad44da69bf936eff01f386e94cf2eb8095b76c697d0471985d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f84a.TMP

Filesize
48B

MD5
91d4e4a5384de8dc85a337f0e4cb381b

SHA1
3c961d606008e5569dab68a125f17da53d85fd50

SHA256
e355980dce56b8cd107e032790cf1a8756afc7a9c037894865b34c5b73113170

SHA512
33e7d684ca0e2b19737964d3ed0ed2d3b5e50154b4d035434f2cf32504a091426e82a1d9cb1601480808de301c9a4c5607d4f451653f5d51c1d38458f99466c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8de0b958b99bc3246ce2ec79fae7e909

SHA1
b7192045d5b6550b0d52bced64fe533dacd524d5

SHA256
0409def0e68f5e4f393241341d2e01bd6f0dede8455c19bbb199cb01bc440570

SHA512
bc5c3240fc7e779848437cb8ebd89390159182e9636ddb6269c4cf74d6c1723668c9746aebf11af15fbeb5a4e41f3994568ed4644626c24dd26e119cf0a39fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d02ed64ca6a3fdff45e4655a58072259

SHA1
effb235b917cc3fb0255663de0de0340b0a402fe

SHA256
c064d1c35419bfa09b03715641239a9c6a0f8a9f94ce06e99dd45d4618e7b3ee

SHA512
428082a20caf44b07451bf5c55ae1d84d7e85cd34f6ee670354759584ceecb33177c4b368c4520ab994fa50fcd7ced9c52231bfb6497ad4d57f347eeb8b95459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18a8b1dfac36806c480b37012558d121

SHA1
ef44573d8960db95f82ce7c3a2caade88dba415f

SHA256
10a9444729c0dbad29e3c5c20caae06b6d9bdb64af22fa195996f163a19c26b3

SHA512
a039c10cf5489016f24ff9ac2a4e8d1c6e009d471088361632cdc12dfb26917547cbf026e0bb8fa26aa8870856e5932d3b79f7bb43148e63f0476e5ffed5099d

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
78KB

MD5
391d283f5ab7ce8a2973cca1511806a6

SHA1
5b889167f2b82e7181326fa16cde7001ac5aa8c4

SHA256
d90775adb30b5141da41f89f77b6668b15eab24c2bf65422f162425130c3065f

SHA512
41372aee3e54bc1d17aa4bd310f53186792decb4e6b27583a60c2868dc6bf6922f2df48ef5b6483503a48df2f1a17f881ad96ecfc04e3d61da7ba1ea965ad12e

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/248-181-0x0000024357A20000-0x0000024357A38000-memory.dmp

Filesize
96KB

Download
memory/248-182-0x0000024372210000-0x00000243723D2000-memory.dmp

Filesize
1.8MB

Download
memory/248-183-0x0000024372B10000-0x0000024373038000-memory.dmp

Filesize
5.2MB

Download