discordrat | hxxps://mega[.]nz/folder/3ExDlT4b#3AwpMYtmlnh9srWS8RihVw

Resubmissions

02-08-2024 08:58

240802-kxgyratemk 10

09-07-2024 10:37

240709-mn12da1hnd 10

08-07-2024 09:32

240708-lhz2fssgrj 10

Analysis

max time kernel
214s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/3ExDlT4b#3AwpMYtmlnh9srWS8RihVw

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5NjA4ODM3NDEwOTQxNzYxMw.GXCO_h.FzCXXHzUl_a4K5zaggRAi_SdLV7ZD0of0VLMPY
server_id
1196038125751906374

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 6 IoCs

Processes:

generator.exegenerator.exegenerator.exegenerator.exegenerator.exegenerator.exe

pid process

3216 generator.exe
4948 generator.exe
3632 generator.exe
5200 generator.exe
2224 generator.exe
5308 generator.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
3216	generator.exe
4948	generator.exe
3632	generator.exe
5200	generator.exe
2224	generator.exe
5308	generator.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2077438316-259605770-1264560426-1000\{9D65C44E-35D4-498F-A01C-986242F15106}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 360357.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 360357.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exetaskmgr.exemsedge.exe

pid	process
4808	msedge.exe
4808	msedge.exe
3888	msedge.exe
3888	msedge.exe
3852	identity_helper.exe
3852	identity_helper.exe
4840	msedge.exe
4840	msedge.exe
6108	msedge.exe
6108	msedge.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

6060 taskmgr.exe

pid	process
6060	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AUDIODG.EXEgenerator.exegenerator.exegenerator.exegenerator.exegenerator.exegenerator.exetaskmgr.exe

description	pid	process
Token: 33	4616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4616	AUDIODG.EXE
Token: SeDebugPrivilege	3216	generator.exe
Token: SeDebugPrivilege	4948	generator.exe
Token: SeDebugPrivilege	3632	generator.exe
Token: SeDebugPrivilege	5200	generator.exe
Token: SeDebugPrivilege	2224	generator.exe
Token: SeDebugPrivilege	5308	generator.exe
Token: SeDebugPrivilege	6060	taskmgr.exe
Token: SeSystemProfilePrivilege	6060	taskmgr.exe
Token: SeCreateGlobalPrivilege	6060	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe
6060	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3888 wrote to memory of 208	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 208	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 3668	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 4808	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 4808	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 5024	3888	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/3ExDlT4b#3AwpMYtmlnh9srWS8RihVw
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeda1c46f8,0x7ffeda1c4708,0x7ffeda1c4718
2⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4984 /prefetch:8
2⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
2⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
2⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
2⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
2⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
2⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
2⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
2⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
2⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
2⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
2⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6340 /prefetch:8
2⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6108

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5200

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3064 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1080 /prefetch:1
2⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,665331487646492135,8577012650687226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
2⤵
PID:5376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x464
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcbeb5473h144eh45d6h891ah0690d104b2c3
1⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeda1c46f8,0x7ffeda1c4708,0x7ffeda1c4718
2⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15018336435966080963,12231279411927088391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15018336435966080963,12231279411927088391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
2⤵
PID:5828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
352f392806c1ca3f28b2bb478b4aab20

SHA1
fbf77b667ae76632355ddcd4f2fcd3b2bc0bde01

SHA256
d3917e4a9d33e745b46a9ba13c241b0a7a3d6e9176cbd9e0b6db48211905e6cb

SHA512
cd83d26b129adb11a74bba17a6d82497539674d50bb8825fc9032a1183e92aa49c42fe6e5dfad000701d4114d2b077db74ba8b22d4cafd0148e0a8a91eada656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54a5c07b53c4009779045b54c5fa2f4c

SHA1
efa045dbe55278511fcf72160b6dc1ff61ac85a0

SHA256
ff9aa521bb8c638f0703a5405919a7c195d42998bedc8e2000e67c97c9dbc39f

SHA512
0276c6f10bb7f7c3da16d7226b4c7a2ab96744f106d3fea448faf6b52c05880fe65780683df75cca621e3b6fff0bd04defb395035a6c4024bb359c17e32be493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d3901cd618f65d66fb0643258e3ef906

SHA1
c9b42868c9119173ff2b1f871eeef5fa487c04f6

SHA256
1f74c3d5f4d41c4d5358e63ad09f8cede236eb66957f9888f42abf98b238c086

SHA512
89c122ea72ae3f26c94e34040e0f0a856506c8490ba36fce371a731b3f0588407c6356cca2ebea37ac829a67c2b398e298a64d5a72712172f69071264ca58e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
32KB

MD5
610293cf4ea82a578cd1887889626ad0

SHA1
8f505a4584e51bac66f9b6a623a1675e5cc10cd9

SHA256
66753c185ee3c839fa84adad3e2809f4419fa87be1a4910d05997ff33a783324

SHA512
80103e0a65015af0f79c7c37f63fa9ad7bd0290cb7d1f2324ce17811b3a125af27f02958fa4d55590f4f8d29e444245066127dcdf201c9f522e00b79f82e2e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
32KB

MD5
9d01eb0a17ab073b23578fa43d8cb8ff

SHA1
9494cff21da72d4c633827d4316b5b3295e837f0

SHA256
c262b68986387896023519db8825e3ed1e080d5307b72474bac05ec98185c530

SHA512
6c78a5cc939506d590dd63dd2a630e92ce68de84e4055e093bbd3a2f233243da12e315f5ca2d221948e39d5fbc951b1e958da851d31b41b9a86d29a133e3b3b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
92KB

MD5
8813ad599316ac04c0f610839a98feb1

SHA1
a6b2b9e9cd4f93cd4cf6714172dbfa1fc3cf76d9

SHA256
b86b95e2dcf381c34b0a14744776ed258b99f32b9839c7bbee93c3e6eb3a2dd2

SHA512
8dd5e4f84b34ff5874d5790267d373a3bcc7fbf2199ca19f3268e12441ea31393d8dc27d8824e2bbdec38f6197030134903adcd0260beac0f9440e2944c70ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7da318ddca08d3da632362f1d597ebc4

SHA1
c77918cfb04e40abd990b14f9661b69c8fdaacba

SHA256
880c0861cbe9ac3d23c0698bcfab96de1f9f30d73e57437eb55fec24627505d7

SHA512
5c9d2ae8dd6a5efa1c83f8632fe6f2e88f1be72e2d4ff558d54852d033eac142550e86b5ebfbb0c9d3d2edf0b29d03aae6fd9d0718efab3aac651c1701cd6aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a391464c305c8b8cd9bceeb346223478

SHA1
a6295dcb2358aa5faafef5b705908d09994dedaf

SHA256
22799a6dbe776f0ba26cd502650d1af4658f8e20fa7332357aa782fea7dfb394

SHA512
d3b03c7935437982ad7425d4615a085b7d1916198a518ba49c0c5e74dc898abf439d89a33b125d860b41d8b60df3cdb6281ae5a96ad95a145e946deafbf6964a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ed199cfc57e7860d9923ca5c5a9366ef

SHA1
398d60bf2bbd42525d277b5b91755f645b295c48

SHA256
0ecf1f0ddb64504fb24e3f74c49a5aed1ca0e1239fb2409aba5cdc3b65a0d732

SHA512
605bd13bb19458f4383f5dedc037300f9f17e834743b68b5c5e03e6f2e4aec10f9c62554b4bd2ef8bfc61aa99ee762d3a055bcc681a2d11562d260714f5699da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fbc01cc2e466efb65bc22e2955e5fbe3

SHA1
64555bd081b9a1428f9f74dd51a4933dacbd4c3d

SHA256
254829362b9c28bd40fa490022945536ca662a57d73e5c8c5e1377149195e41d

SHA512
e1df680a385a7899c385c05c83311bf7bcc73d6a2f847ce43ffb1718b73538a1e3f3b31f22b4f9a774a24d33d76133321674e61839b2dfd05296c5a2af326345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98632301404c2df0a78b6356bd2dc6a6

SHA1
aba8ec0c8ef24d33e930ff15547c4ef51ba71853

SHA256
005442900b0ca12139fb40babef571a3a04e451f6a35e687cc547236fd323006

SHA512
7ae9ac9fcffad555577430bc060da84a5a158279fb1bd939411e9f833865af0d310cb7024a945dc510bfff693215b7e9b819542d610506ac2cfea69ce5696e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e8bb5056d4729dd8f779be62a736adaa

SHA1
d6b60ed6814ab03ef8860667cd2070f1821fc3a2

SHA256
0aad55ae007adf34736ce543c2590d0e4ecddb5484983ad467514998a4a3220e

SHA512
00a633f065daa614a82768fcb9154a4ae826bcb30365aba62b7379893dfe5908fadc084f49c9a2054aa9b80499c2c15aed79a324d9729c54ed93f8225617e8c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a3df89992c35db40f6b59c994f91212d

SHA1
6764bd4919d1fdab60ff131e6e23c4484d475a14

SHA256
ab19bb0b1d4c41b780a3fb705c5660a3fee22791878736edc4f852f1c39c4357

SHA512
0541ec677b92090ac4fb72508aa7b89e81655a22d13e4a174ba1b1a31926f124c22e54c018c2d74371d4f6e33eb48b366da243ffceb5454165fafd82add75a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccb82efd72bca268375f834dc415de0b

SHA1
889b3502bbe514cc11ea5413b241dd7bb5aaf52e

SHA256
2e1ac8343d91f2fb0746369f9a64600d262ddfb06e0ce3220a8be78ae4491fab

SHA512
58efe9219b618c16a438e8ee641c3a322cd88d87da86813058c21e24ed5decf4ce67597a1f634dcc110935e59014d90c1f8922cef65b0990cc5e7719ce3ecac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2f870129-9001-4bd3-9b79-92fe005bcec6\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c71da312-3267-4da4-84b3-3d433018ff5e\index-dir\the-real-index

Filesize
2KB

MD5
aae194c76a2ec053e1869dee98dcd3bc

SHA1
e88879c871f8c3927aabd1a500ef23f34197ad72

SHA256
677aa6710014d18bb608a2bae25060b77ca1960fd0d24ae466a83894a06806c8

SHA512
7ee6b6831e3e223bb3c335dca78e541440594743167c9df7f9da3da5477a4bfee662293039b3df9cd549eb2c8b35a6d73baf73d507213498f9da5923ac4ccf64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c71da312-3267-4da4-84b3-3d433018ff5e\index-dir\the-real-index

Filesize
2KB

MD5
b9ae70cef6272d345bb495d8f36fadc4

SHA1
afa2706f14e4038c9ec78051aedb88d609fc488a

SHA256
e203ef0fccc63c73832277760da71a6b6d0ec731c8a0e5af6058a449a4563022

SHA512
105e36586831a9e8bef1a4c21ac6cc081da9acda26b5c625146092c047ec2b3872c1a169eab114f8993112ced7e7f645c320bb5962825066e45a3121e9b15c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c71da312-3267-4da4-84b3-3d433018ff5e\index-dir\the-real-index~RFe58cacd.TMP

Filesize
48B

MD5
a3719a57647a86b59a1dc9d6c8c9273d

SHA1
faa10bbe98af57d73ec155465bfae33dbec6ebd0

SHA256
9bf94c0585e63aa9fdc555b8d87c1a90b032fe7671894035242f0e407da5eb1a

SHA512
e5678f3c419dba0c1e2342f242476a3cf70de2da615ff3e78a1be5016fd90dcb09b70c52495c89917d779bcfb3ca1eaeed480c6768a61e3327667f5621e5dc12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ee0e7801-b2a8-49a6-86b7-4883bcfa8f53\index-dir\the-real-index

Filesize
624B

MD5
fcdf6cbae77f346dfdc97cb8496a23c0

SHA1
0e7dfae60a94a9559586dfbe1bee33a8a3b0f58f

SHA256
02f69107fd4fa83f688271f4215df7d46a719702c4513e789cf247bef9915ddf

SHA512
accb6e82aa6e756770320ab26fa9406424e8e77b7592bf8ca70f4ac26bee391381f840ebf773689cd86348ee48dddf06342154af1d3f1ea4e1432380f91e3194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ee0e7801-b2a8-49a6-86b7-4883bcfa8f53\index-dir\the-real-index~RFe592560.TMP

Filesize
48B

MD5
684bc0e7863a899cd6c3b98e0416a708

SHA1
49fcfd6a3bc9051fc2d92fd72ca03e78a9d0c836

SHA256
6023095e4ce1907926216d9d6cd95c14c48de15e031d752716ba629897bab665

SHA512
fd997faf752cce1bb3e4c9dba3cce6be7e4fcace4ef696b70b4123a24aa718996c7d11ba2eefa13fe2f9311e7d6f8e06ef99eade3049ae4a941bff437e5f2730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
8049bedf98836210ae9a4ddb8ed09b89

SHA1
1f09164c2e4794460b8778794cfa101340081eba

SHA256
1f6cb5fd1863adea0aa5879faae06fef7f013cda432b070b3b0a85cc06803331

SHA512
2e84d6afc2067c3036538de6ec54ee1857fbb479be9659ab9850b798089c7d8406ab71b8ffa95b4c7d6616fefba325f0e760ec0f6f46d84dd2c2f0552ecc0ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
cd74ba21b5d17d52b9d367e89abbd2ae

SHA1
7f0b75414501b1d5d21217d0c73438797654f078

SHA256
1eae6bba06f9c6ae862d9b7cc2bf6f737c2e76f1f8032a54cba36fc8b40b278e

SHA512
d9438eba9177edc9e087b1229bd90e9e7418bcead7967d934b768f1faadc53f31f77077fc1526cb67718f4c520159094f385291290578fba54566b2789aee020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
47d70ac67a47bac645e5df8317bcf244

SHA1
05aa36b6313a396e21d77a0f43aa8b332e3238f5

SHA256
a0c8fb9d27846d3dd08719d0de298bab7c257914ad7b263d9a8c0f20b1df53b6

SHA512
d68fb89e3d945636299d0ba2511cd299f0fdae0b2a6a4f0dc4e33ba6d6e5f7c2035ee0140240e4ab18116ea03f7642d0367eb5c57c886ff35417f33ccd51e535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
75f22882eea92d069067a60ca469fa35

SHA1
d7bfcb227ef979d489c09e5ff2b6845bc41837aa

SHA256
baef15034776f131527cc635257fbcc1442df7dd16473259368f38eaa2b562b5

SHA512
2e664f052c5c77adb311968d8d39cbe549d54682817322c28fb9afd1045d0f51eee20b1a587639771fc5c8c9a5c50b2245ca8d8bb403dbd8cdff1cd2b8a1f6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
6d501561aed6462f4a8765f987c7b2f5

SHA1
756bca793e0fd0512938ff610ef029bdc9a1bda1

SHA256
5ed6f70d3290cc03ed827d2327b8a30b4180475751146b879eead35a2872d484

SHA512
3b66c201f193e28811b7fa4127adeefdfef4ddfc44de7a3f8ede3a139f68896bce552780c7c05b37c0fb682ee16b2e72af37fbc06e99bf605a9b0f8b12b46791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
66c93cc12a48b2fc9e0448e0bde5eaaa

SHA1
75932bb4479a6af953e2b7819fa5828df25015c9

SHA256
cf9d6557d63bfe0d033e3b894861634e4765094a024221ab82c6919e053e0896

SHA512
d5c0a15df767dbeca9690e99267e5664ddd43642d8987086c72563f29fb86c525be8ccd66e0a23feb28d0567905cd064679edcb210d4121c5e8e469b5c679091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58b8db.TMP

Filesize
89B

MD5
9b5095a00b8fb85aad481c2ef0a68d9d

SHA1
8cc16827a31efb1ed91cc89cfa90b1f99b3ab2ee

SHA256
64694215934ab5464042210cb9748a8dd523c1618cd4e7faf6648dc438b3c172

SHA512
2b866abc821f200e272180dbf9496d4391ee2108cefbf99795743d9b9eb7e0c0f8f7ff3977aa7ad85cacf200d9f5080c6cf89c196295972690455ff996d9ba59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3d93587b60b412655830ca5456619877

SHA1
2ba7181ac9053a66626622fa2ee2248077e02920

SHA256
c676d555741cee6a65962e281f82e44c59148a70eb82b10167a1dc1ef5d54315

SHA512
170ab9b0da07870a0b47c73dac5133691c2e737e2fc54f3d0c2e03ef4a5d9b968d8153376d490c183527ff1a2b174bdd9da51469f613cf5ecb7ba363ba7030b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
ee86105eb9bfe22fdd2313b6a51c2bc0

SHA1
96d613b65ac23876c1c6fc68a3b56690626bd8c5

SHA256
be598fab7eeb3e14ef22ef7ba8f987992de91c620ec310ccb3478106bfea983a

SHA512
dbcb683589a77a769eec60d4a40868342440db9f472cf6812bf3baa3aca5256712e61396a02972dc848dd9d4db2bc8a479a7476c9e224e00a2be0752379f8d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586491.TMP

Filesize
48B

MD5
d56cf21cbf2a357e137ef77d74fb5750

SHA1
6c4670f9bfffe08c50859b91fa4bab56e2344b1b

SHA256
aed86fe0331402ae3706fb2da8fa5ea983f6505e36106bea71d482d4f6298a69

SHA512
cfbe0a02dc03146b1eacdbb906e9b7599f3007f4b3908e21db19cf6b3efb0e3372d23a6140507d8ca1a5d9779d8c2a0c932f72cdd5802dcdc802a0bf02d6cd63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efb327f9b3234b972e82c555e2500f4f

SHA1
2b9cc642336f3b452881002798ec9f00b5835deb

SHA256
2cd930d5e8736af9d55332c2e32d4ef7283204d50ac3e19a5cb3eca57e108b62

SHA512
e02b014560069367310a1670dfd5231f954e288c4b5dc1cea4694cb74b2b4459e22ffd6241e31975382969a905214cc0b9290c241a27eba46ec02745eb8efca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
821c92474793da011db6af8198937d51

SHA1
60e6ac8dfab67138f8bc483d53e0ed01a891529e

SHA256
2f43dc23aaeb858c686b5c7a6df1670cb6b60a99fd5bccb0252cb6dbc734317a

SHA512
64fdd973ce7c4413b3afcd5304b2a95072c073f9ca849062a2e2ad6708d2cf5cb1461fe22ce7520e1410cae2cba9ae250744b2677ea5eafa1ced644b8134a31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588930.TMP

Filesize
203B

MD5
0da25cc16c73be3dc5b89e76921a1967

SHA1
71f52f3150aeb2814a47f13e988a01e715cec2b9

SHA256
5032eef8f0043b1a2f70596c0aa9a6de79cf5f634b2c3eef17c4840c782d09f1

SHA512
2a887d2852725263422e390a1cb72704b590f1863b9510351fd20cb7d769979a4b10312a593b9f1be4d18b8228bc7b5213b72b2a9ee2c7b8e00945932b6ea056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3fc78d77e3f90d7c140a41d8c0e1cde5

SHA1
51bd8ce46c0d9fc3068310986f542d4b11dd8b24

SHA256
d9d1fae2f0615449567d530d36fcb7534b5f362c23a3524721c1a92091250ea8

SHA512
074eb1da8eec77940f16a1619a3f859191e3e2e8551b10792ccf180e22892a97055a942efd342267ee657ed459e05863c676d41cd6598c68f4dc0707d5e8b3e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
334672072778ff1dbbdb552a34da3958

SHA1
92587f84d317e6f5f021c5347c86c675426b7a60

SHA256
33d88a7dbd1855656239b58949333217c4b6ed7809e1b8820d1e8dee05f78bbd

SHA512
c536ab169d95ab6fa91135acc51902ad21d122b1854bd53adcfc387b9cc1e22980d6aad89aa76ebeed88d41e322b461e618d0d550fe3fd8354071617ca1ccf89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5f9423e32046aaedec28ee9164f5e867

SHA1
6760eeb3bd2545e855cc7527506d1bfd9f1ded79

SHA256
7753f234688135e80fe3691573bc4ccc89809520441607b415608c8c50f45361

SHA512
f7c7c60bfd253d04997b65a6e2775b92ab82ec60fe9a4697c60791f96590b23281b3f97aea17ca6ac72a5485f8b4ced7976e4a014ffb233ad25d177dc37f099b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7596219e6aee0a98508cf0ac0d9a76bc

SHA1
8bcf12ad9de596eab94d03ee653eef8d8b0d2ed0

SHA256
a138718362a2ecbe3ae664a237b775824dfc3be9c0ca0faa41cf0c9e12f95d5c

SHA512
1013bb1a4ed677bedcc8cd7d82dddd2c6d7cbdb40dde85e8a3a23f185e153071bdad082fe55388d4b413052fc7ab3aa84c4ee83aca61c02bcc10c8a05f2460f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
03ea9ff0f0cceb05db4e845c0fa78fb9

SHA1
d938bcd2a10c4b3adcd3905c9dda853e45f51a34

SHA256
852dbdfcf476f6fa16ae7a61e2281f6cac1ed8a1b1415273bb24f59079c53627

SHA512
40bf1d8edae3343a82d7250355cfa7b80917219e330d89aa7294e87e8855d9c1c6674d6f5c70d7624734d29570716aa5b9aa9978c8542be2c6097e1b01358910

Download Submit
C:\Users\Admin\Downloads\generator.exe

Filesize
78KB

MD5
31bcda599c19f1632e95d5a507e0ebbf

SHA1
7c005dab2c1ffc4daba3f712a9cc2d8938fb8a4d

SHA256
f65160ca4fdef810b8f508ff89c5d6aa179f016a406daa6821cf547dfe6713ce

SHA512
575bda4b684b9cf786e2de32b69d5df31e49f15964113260b74058027a305985ea0538276717547ac630f1d07ef84913b5c21e9b32df6d28db0c5da637f944e5

Download Submit
\??\pipe\LOCAL\crashpad_3888_MBTSDANBYKVYXLDL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3216-1096-0x0000023954010000-0x0000023954028000-memory.dmp

Filesize
96KB

Download
memory/3216-1097-0x000002396E6D0000-0x000002396E892000-memory.dmp

Filesize
1.8MB

Download
memory/3216-1098-0x000002396EF10000-0x000002396F438000-memory.dmp

Filesize
5.2MB

Download
memory/6060-1182-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1194-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1193-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1192-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1191-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1190-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1189-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1188-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1184-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download
memory/6060-1183-0x000001E55F2A0000-0x000001E55F2A1000-memory.dmp

Filesize
4KB

Download