discordrat | hxxps://mega[.]nz/file/1BBCyKKR#0BcXNMbdW1r2fsggeRP4xvvq6yXd_ftr7wOQEcDIp_Y

Resubmissions

25-08-2024 15:09

240825-sjwhzszgrc 10

25-08-2024 15:09

240825-sjk29azgph 3

25-08-2024 15:06

240825-sgxy2azgkc 10

25-08-2024 15:04

240825-sfkbjszfng 10

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-08-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/1BBCyKKR#0BcXNMbdW1r2fsggeRP4xvvq6yXd_ftr7wOQEcDIp_Y

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3NzI3ODc1MTMxNDY3Nzg2Mw.GKptwK.6ttTGh-Su92JyjNbovqY4JTGfOdndadlxBfGrE
server_id
1277277846360031292

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
3208	Client-built.exe
5476	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	discord.com
39	discord.com
46	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690722158903140"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2780	chrome.exe
2780	chrome.exe
4684	msedge.exe
4684	msedge.exe
2924	msedge.exe
2924	msedge.exe
5888	identity_helper.exe
5888	identity_helper.exe
6132	msedge.exe
6132	msedge.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2780	chrome.exe
2780	chrome.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: 33	4512	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4512	AUDIODG.EXE
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeDebugPrivilege	3208	Client-built.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1204	2780	chrome.exe	80
PID 2780 wrote to memory of 1204	2780	chrome.exe	80
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 1756	2780	chrome.exe	81
PID 2780 wrote to memory of 2732	2780	chrome.exe	82
PID 2780 wrote to memory of 2732	2780	chrome.exe	82
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83
PID 2780 wrote to memory of 3356	2780	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/1BBCyKKR#0BcXNMbdW1r2fsggeRP4xvvq6yXd_ftr7wOQEcDIp_Y
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7c96cc40,0x7ffa7c96cc4c,0x7ffa7c96cc58
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4284,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4672,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5196,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4776,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5576,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5092,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1104
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5716,i,16056687594811162712,11366081412810924562,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffa640d3cb8,0x7ffa640d3cc8,0x7ffa640d3cd8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,6069910623510443381,10683977954837502093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a1fa046a45a187dd0e4cb0aa7c01873a

SHA1
c9db5510bf9e04fb0b4247238bcff8715787d409

SHA256
db2c1c395330c574be16b7881c9f7508307b073c401711e9570cdacb071f5ab7

SHA512
56b9b60f81c69d9611fd459d1e2af45f859efa3106d0241bb2ef495a3f150cf7ec0d71c6ad015aa4dfbd7f9bda82981679c4e78007735529e47421f469b40518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
dfb3f188c9a5eef7ee6fe50a9642f0bf

SHA1
c4f026275961b469bce5293764e2b71c4273282b

SHA256
67e7beca508e24366464c8dffced3edfa56dbf30c343ab8046375d59ff794a6e

SHA512
dc9f7f6fd0eb53fb370466ff1a713bf563f70c443fa426956f3026e44b64e1b43e3914e5d4276300700a59d006f8c4717855d6d2fc176cee77bdacb4fa1069ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6aa8f72bd32a7abfa79b813315f5a4c1

SHA1
16018a9272cbaea68af1763b416a68e585a71a32

SHA256
6f9946e84b87f1ccfc1e745a486d638acc494974ac9ab076b69bc2476735c8f1

SHA512
95d8bdeaa207a2a59a6ae72c95efc09634dbab4ee79558a1a97e53f20e5b3153da106eb0810e1d14a67346b1f2573c72a6676e8c605ef352d3586f3a00281e94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
8aa2d7c41eb4fcd986335f5cbc3fdb6b

SHA1
6991e3e4e5d3aebc6ba8019b4d5317406169539c

SHA256
ea4d11f57607fedf5cff60c814027b9c9470fec99ab6c5a4218e23a3d85386e2

SHA512
cdcd86c0398ce4e37267c14ac9e1bdeb781b2a594e887356135cdc477da20cb8c0357abae3f22cc4d94bdbca071853ceadef7848c06c539c52ac2819f73551f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e09e18be207f8da922e03192dc3b2225

SHA1
a3e9fc28bd402f373d077703eb59f8f4d05e34dd

SHA256
7a71758be689db2f3801acffb0ccffdc69108d99b67dcf3897ea8a0cece78bb5

SHA512
0c8606e9d6e732b84e24f0d64fb919277f5401e1f43fafc2ba46d7378215eec49078e94017eeecfead1de406ff76a0e3a43fd0b0deae083dba2f24747c49981e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d7423f27ab98f531643ddcf3028283b

SHA1
17b857dc76e7ee7c9c2246d974371ef89bee88f9

SHA256
82b48008a76789ed0d0e8d549f938bb324311cd5b56e085a04349be122ef197a

SHA512
37bcdfbe200f89b4e05958e6056ff75f2111a758a29dd07ecbf378c4a167896e99caa9cd68c7303c2ca803d028c6bfeb5314bacb153cec3b785dbb1e3a729cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
220489484b18f3eae9e16d26af053ea1

SHA1
0a1159a4d52728ce2e0a10f6f25997c13a8875c1

SHA256
b2e6a5b5748902ed10fe349ab4ade42f403b22715bac6a5bad9123d1c9893e19

SHA512
9b61389e219f84983ce813c9d1c02a4e9ab0282b2124f327b827c66b00266c680fcb9a2f7bcb7d107056691d2af166a4795657584bce8b48dda97859166d52eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75e4e4d8f1eaf3ff9ab485100c9bc0a2

SHA1
e9e342bbda263593f2e4378a6d1ec9776c45c017

SHA256
72ae1d97bc8496a69786409df9cd1df8f39ea6c0cfd02cea8328ab4b3050cfc2

SHA512
3ff43964fc5e40e9fd19833e3142a113facca8a3e60c46dcbf03bf42907cc17e9d6f84281dcf948a6d98c07161b7dd243b4b35e61bd2091aacbc75b1f38bec2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e0d8539dd5c2a46b303e2af150e49a8

SHA1
407d8c3f8d4d256ed5cddd24de5fb3f6ad4d9412

SHA256
4917e9095fbc47342eb676f4bfa4504efd844ca4f990e83ffe3e71661d1619a9

SHA512
18f5ba2972d2f77fa22e47a85ee3d305b4f806a3ab8fb94f74bbf8bcd1d924df411445606ff3f2368ef4d93bbe78c5332fe48597a62bcbe47a733969e026bfcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
447cd41e0fb0302be7734ad86027b640

SHA1
b1a4c614de87a4db9523759a975f1fb6e03a749f

SHA256
a25f33b248f4b6e4b29be6ea217837c39ba701592eb22983046d2ed2874ba04e

SHA512
9e1f4962df36817f50eeffb422987c3b614ae61720384545bf732c989fc923658289e110ec3a46bb1ebc219d58323f9d760171a1bc28ed86a4138c85b91bc5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13bba5ba5ca446f9d93a7e8f95723f9c

SHA1
1626ca5f39cd05aed0846abe70924997ac9e5c59

SHA256
a81b28f5cf3b4a5c7c7466e5d128dcedebec17194a1991d7f13b10b744ddbf9b

SHA512
93fe7a60edcfefab837274e4f5e4b6ed6e86321dd27a30f32fa0d013d49993bd8c3b09c593f6ea49caca8f65041aeb36ef8c65a6ccae8759d7a95c7c2feeba8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
302ec6f56b61d1894d77e5f37c3722df

SHA1
cd9adf63e8661eeb16447a1ba543b682b12d211f

SHA256
b124170350f8d93fe80d485ce130b975b244c4f9127b7f29568f8ac271285947

SHA512
3afd1932d953240728766351bbe5f94fca292a138be1df3e29e0893137a1c8d75392ca65cc9bb225a8c30f979247d920c76b415982cb15b3d27c24fc5b600709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eaef81e875efe9d1a97d6d75ce746235

SHA1
d0c4226cd659511b96e3538d635c42d655220cf6

SHA256
e421ade8f586ba72ebb5319e85641ef9638c135cc6139a7c33b89d267a102046

SHA512
993ab46e544bae960583d047579c166f9ae91db34f80c8b9c480449dbd7c6d885cc122d1cda923f2224a68142301058ee7733e6467230cc8498dfe56e710699e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
cf9d8bf3d7a0be954f7634c2328e531a

SHA1
6f91e7bcbc7c03fa08400fc6cb9f50cfeb7916ed

SHA256
101201393ff26b309f11853ce5baf658d81efc67bac540bf7b2b3727da2f6aee

SHA512
2bc88c155d2ae6f61287d686418105af34ee1b927c851a2cd8b89cf01ce9c4d8545a36e28caf1129c2e8a822bc29be8e30f145cdc695d747de8131b186e000cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\beb64af9-da9e-48d1-a0a2-df4e9b27e3c4.tmp

Filesize
9KB

MD5
aa1fe92ec2cfde5850d6003640a0a460

SHA1
7a1dee0991fb807d398f84f6e30bafdf00784db5

SHA256
f121f2cde70ca3b939dc820b4744ef06999c7ac368be489fcd3fbbcc4c58b811

SHA512
3f011bbeb568136cf3d0b04f6e3704ec307b7f76319a5033f7d3e5a7fbcf5c19a8768b525f3e1f57e4b85a2602ed3da7e4566e6ed00c5929e1a4b5b9d58c4459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
263f397f64e870124f29a75de00cb3f7

SHA1
16a924b8e8fc0f2cc918b300b74834846668bad9

SHA256
cf88ab8a35c21fdadbbec54855e8480e337dee8d65b7c151223ac610211d0362

SHA512
388d2ad6c655b4220193ce8321efadad8a18e4a306433b55c84ef6b050fadab38a4dc57b710b7e4917120841c10c10aa54fa6ba9c96aff52c7aabb2969846e86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8d3ae44c6085bfcf65df4988f0f74a20

SHA1
dc79dcbac073adb88a231f0b0581f0944ff0b14d

SHA256
433a6ed1c62fb46cb762e06236a20be58a4d929bcb5f749f9e93d6ecc2fd44a6

SHA512
496fb23da38983d00df846f0b0c4ab1da833806cd64b526aa4c5e47b7b0a0ad594bd0ab8250bf07a707e5a28fdf2fce7624c20254ef957864ee2a2e61f4f8232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b87d239164ae9004c21b69c572fa0154

SHA1
951c30aff1e428e897afe47ac49969a1b8fff699

SHA256
11d7d71b6e883e6abd0a6bab295c613fee5997bcefe4310b22a7b961cc47016e

SHA512
6c9d84ea8ec149a1bc975a6fac7decbaf5321724477cc20d5aa87c58e3d5ceb89d5e759a8a9c00b22ce2486274120bbfa069b80164edb3f45ee72b05e16d43e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c708d3abdf7c1f28e0d6307eff86c13e

SHA1
a741b5688418c1953ff2a28586298591fa15262d

SHA256
927713a8787275e58e2f9f322fcfe0d75e74041435003114a4aa7af45b76bd9c

SHA512
945ab0c1f020f49bd972c66777159969bd9b6463efe5ee9d42cd224d69f3ec82287725808aac6daad8e2a5e223e5b2db63c264754c650832b6e8112917b678cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0a009766dfe95e36f1261ef91006653c

SHA1
e39a39e32cf46f9a482435423fab6a3a7d97b5f7

SHA256
347b3ce1e10e5eff2fac06a656afec90141990f27e0d52a588d58988252f579d

SHA512
23f0d7b7922deeac0c4ab19500a444ff4c573e885412c799f549978b1663bba3d3a0880118f4c229bf97864c43bd7139a313e092523b4c15120b2f2092f1a757

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
78KB

MD5
ff847e46cf128da78fd77a9e977e6419

SHA1
37d08015addba8cc4b7764d15b0f20416aa8da98

SHA256
c9f8cec5acf6448bf61584f9f04a477ec2af9f0e4ee4e79170b0ba7ce50da7b3

SHA512
6ccc3e14e7aeefb54d58b79428ee53601414b880ccff24673faa36311b4b9ee3aaf8c1b1b795e85e43d1a69f2876584889c122d4c9e1599244b2fbd04dd66fe0

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/3208-205-0x00007FFA66A00000-0x00007FFA674C2000-memory.dmp

Filesize
10.8MB

Download
memory/3208-204-0x00007FFA66A03000-0x00007FFA66A05000-memory.dmp

Filesize
8KB

Download
memory/3208-184-0x000001E27F490000-0x000001E27F9B8000-memory.dmp

Filesize
5.2MB

Download
memory/3208-183-0x00007FFA66A00000-0x00007FFA674C2000-memory.dmp

Filesize
10.8MB

Download
memory/3208-182-0x000001E27EC90000-0x000001E27EE52000-memory.dmp

Filesize
1.8MB

Download
memory/3208-181-0x000001E27C5C0000-0x000001E27C5D8000-memory.dmp

Filesize
96KB

Download
memory/3208-180-0x00007FFA66A03000-0x00007FFA66A05000-memory.dmp

Filesize
8KB

Download