discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/tag/2[.]0

Analysis

max time kernel
459s
max time network
458s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0

Score

10^/10

discordrat discovery persistence phishing rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
zsad
server_id
sdasd

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
A potential corporate email address has been identified in the URL: currency-file@1
phishing

Executes dropped EXE 3 IoCs

pid	Process
4456	Client-built.exe
1004	Client-built.exe
4916	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
90	pastebin.com
93	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	msedge.exe
1504	msedge.exe
1972	msedge.exe
1972	msedge.exe
3736	identity_helper.exe
3736	identity_helper.exe
3636	msedge.exe
3636	msedge.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5844	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	Client-built.exe
Token: SeDebugPrivilege	5844	taskmgr.exe
Token: SeSystemProfilePrivilege	5844	taskmgr.exe
Token: SeCreateGlobalPrivilege	5844	taskmgr.exe
Token: SeDebugPrivilege	1004	Client-built.exe
Token: SeDebugPrivilege	4916	Client-built.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe
5844	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1480	1972	msedge.exe	84
PID 1972 wrote to memory of 1480	1972	msedge.exe	84
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1968	1972	msedge.exe	85
PID 1972 wrote to memory of 1504	1972	msedge.exe	86
PID 1972 wrote to memory of 1504	1972	msedge.exe	86
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87
PID 1972 wrote to memory of 2656	1972	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ff92db846f8,0x7ff92db84708,0x7ff92db84718
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8387382889889551543,12794247072935626760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4012

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3016

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5844

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5968

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5bac3765-9b62-425c-989a-148747a00cc4.tmp

Filesize
3KB

MD5
d295637f89189478f6bd77e80b7dee1a

SHA1
917f9dc50c332cbef410658c76dc35652f701032

SHA256
8f49a31ea37ca2d98f0806669e77a65b568f62ed3061805fab306674b5946ae0

SHA512
e7500d38084729120bb2bac74037411a37289030e6dcdf0dbd901dda53fbcdc3406781d7548b9f7443aaa8c96462d2ab5c3151108147ffda0651120fcafc0c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
76c5a1c4893ead82a3860752efaff402

SHA1
fd569092ab49a5255e0189a889cc3c55b86f1fa7

SHA256
184cd1408ca74b868d9fe27393e619181f95be1ea7581609bd6e0298b76c1ab7

SHA512
5cab99b1994f3878fe9e1f1caed8010e4b32e6274c4cc5a8a9568d66f290d675ba4f5d60d0014f4ab8bbec037a38cf728257ebc4a8699f2dbd10e96ccfb600de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fafac693c40355a54e309189a4b99a15

SHA1
331171cf837ccf127a678d52892fa81ce54b6624

SHA256
e6dbdb1fd333fe75000de07c62ae30ab619e9e86c315c2bb5f1c91c3481035be

SHA512
62de1e040ed9466a71d69d8eaee8fcd34e7727143b79f7b832916a38f2066555b6871486996cf306d02e9e38267aba0c7aab7a84bc526b4d0f908778ac7efe6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bd03588bb59a5fd27b7c71b29cfecd8d

SHA1
b804ac91ca15138e733504564748cccba4770531

SHA256
418bae83846e7f9423cffd445c31edc5a0dd42aa9146a2834a17d4cb272ffbb9

SHA512
5577bccacbc928057596780e7f72fd46a1d90a3b6a563069d4ef910d88581c61f7610cbb5dfa105d1d01caf58b5aa10fd5dad42fb2667b820d5512b11bd9d918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
5022b10efc3c6d669ded7960cc594a19

SHA1
a79ad985b345f09f5f4f265ba1867800ab4d3be1

SHA256
a6c395932ed70d3a45247d91c6593b48d6d389a52aa806ad484aef62b63c8e53

SHA512
a496101a7c30b7205f91698eec23c53b52d80a24a2208f3184733b905fd34066163df9688e00856278fc536fd955bcb0d2c62f3561f28718e378a08754c53c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a64216fd1ec40ec1dcb0f176efa0c385

SHA1
1d12280a1da180b64a3ba133c0bdddfd2c47552f

SHA256
3722a6c2fb2a5317252ee329c79e93a57d25be2f0bd7aa376d1a2f1c88cc682b

SHA512
b6bd603077b82827fce2c1c14352a9f41a2b3385c8275b931499634450fb91ee6bae13a13106da933f83b23868f07266ce604a937d0325efb8bb982b948ff7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a66cab2632c3d52c4614c95407df3ed8

SHA1
582197ef107586181eb1ed26d25d725916297e3b

SHA256
241fe98100384aee7e73f7a839c1b53560448b0157e1c41387aff8b704e18009

SHA512
7b67acabd9fa62ffb82be2f446812d75f3cf2b8cb0174b156ed9159927ea1a1cea7fe52a5335764c10af9080874e3054b09745ad8684e1897714069e16302ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
c31219057919c66c83aa660378cfe634

SHA1
a887469e3504cc50a32d045469742c5370c2d472

SHA256
f4f3f8e896414b97a699e9aa158d0d268acea2455db334a733fbc58fefcd6c7d

SHA512
f819f6119f40bc7ce8fded4f6fa5216beb522839e68c1be6fbe947892ae497d01be95b188b3e80a97f9b4ab346f60ee01d59e69ceeaf6afb36f870154b81aeec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1bdcbb4df8d7c9f22cc6e7779839a1db

SHA1
656bdd826c6ef2f5c9e0c72c5960d5cb145a5d1a

SHA256
8773281f59c57214c4c681cbb1c27471f43813dbf7961bf24f1d64c37e8900ab

SHA512
dde4127fb09e2aef03eef32a2879edc017a0fd0facd45bb2bb56b7938c3b829fc447493be9ddaf9b379459e3733fb82b165ed0498c00846c8dedb078fc7684f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
201c1fb1e638083d7544312743f79ef7

SHA1
c0ba60e68835726cffce49414f521fb7d4432a63

SHA256
db4af835192409da422900e243774715877058544a87a100ff19ed939d4d31fc

SHA512
168561ada6dcc066ea3ff21fd58a5e19079a0e521d227c774e01f8c2b20488a0e87e0f42661538c2cdf094c5cf512d2fa86aeda32b3e6aa3692ace541e9e8d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b70042daf63026e55c1356faf840b25

SHA1
e84e9bfab001893b0c06c4dc239dff526ac31daf

SHA256
598c5ab647eb4b447f3ec0780c7cf649f650dcf8f54458afb1768d6f9513bf19

SHA512
72c1cdf82a24cc90eedcc388a5565b1834afe95113cedd787e8fdcd44dcce0cba30d7bd3bdbb605cc23dcb64eba77a076b712f17b4a5645db40d119a9dc3ee25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6149c552e08f970408eb42b8c28b9c8f

SHA1
a3ff3d9167ae6daec61523a464f97a96c630c819

SHA256
c2d9adb1959383697fb2582a89fca609e8d668cc3e633e54d5e7bfc05bce408c

SHA512
fe069495a09c1e9a087725426f2bc92a20deacd40a95ab6d9d6175654e143d896506735ee8a34746e0457ed239bcb4167a8c198e2a6ff2ddb37f10d75bd858ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b90c5423cdff72adbda6c2ceed546183

SHA1
7b9b7af3e74d553ed5b75e155d2ed866c7aedd01

SHA256
8a9bee68f789db57871efcc90680320566e366591b677527a2243a690165e027

SHA512
12c87f6fe90f5cee06d6bb8beb3ef005f6087a182c66f1cdd71122964b8ab34bb1fe5e288258d78652d4d5324416b53280893391a31327ab8c1844fd7111ef58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8a58c162a68c022a49bcf481b64b6619

SHA1
b862d6a7bc5bb86f0df5c3e5e485357689f9ef73

SHA256
44f0dc560996a92c7cc947f1fde36c83af1eebd8de758cdb39be45a62a1d243d

SHA512
def8d8979051a96dc952a5a41ea5d767d0eaa040e6eb2e9a21840c8f6e44e55f29375ce61dd9ff4a4bcb51479a00471ffeee56983eb9d47810a3d483d8ae6ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3b3412ae2ce89460991efdc9200b5083

SHA1
de61853f03f2272525c2dff1fe72d5f7c3292ccf

SHA256
2f38df3d65af4d903b60901cdab023f4386d63db2c237e884e23cdfe9da9717e

SHA512
57c4e8cd5c2a1a7eb288e5c4ca2ffa089bf6d35a4a8fc0907ca190ba112fba1b352c4531261a228b5aa386b7524e24b923ad970060cee3a65599fdaa7bd5dd38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
21e14514e0b81f136784e1ef49696d3b

SHA1
51e1a5e900854c463a585252d2cd4c65c0aa8db4

SHA256
c56a98c8f8964af09885a8fdfdb56a58c223371f4e6750478af4cea951b490f6

SHA512
9b1d71f15a8be97543b9d3c653af74f0779d542c25710f3359ec2e67d0dfe5fcb7fcea480c6f677a78e6beef53ce9a91740cbf86f2113b90ab833a24f90f1380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
154b92ca487bb86d1dcfdb94093496a8

SHA1
5808e2e067294dbee4effed04761acbcbfb5ffb6

SHA256
cbf84ec5b2bd84d4b14c3f2bd574a44209274b5356009c75befd19ee4dfdea58

SHA512
2300830d37ab6a0a36d691dd4521a7d6110f461611fb4396ee8c74b9ce431b74be04bf59d0801109b9e43c480f57ed448e9783627ec49c147847bf828e03ff43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
331f2d0c34a68a1b32a6ea152cdc7930

SHA1
487d09f57ee094e21064302d0fb5775d5eb4ad4d

SHA256
d39e3bd33d5546aee27814af36d79fb08c1d74fb6a9ef7aef1bc264a27a2d577

SHA512
94c619bd7f29526e1003140cc002eb42965930525cf52f4a856758c047b939c3a21459cf7ec8f422f03da042f01a0e68815f66b7a66c5573413f8208a7923333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
26d202f8d17d74cee7ac56b182b6f23f

SHA1
e8a16f81cc3d06a37c64035e540fda66ca439245

SHA256
ede2016e8c94796e48846be9bbf7136c007deb7083577f2ea95709dfbd4244d4

SHA512
745d563889354f8f6ce7c5b35d5240ce29e6984ace88727eb9658a7ff9c7a3567713c36d3f7c3c3ad8ee22648dde37ada0a59406978105407341def2b8b4781b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e34338a598fe1c7a640d2eecd104d2c1

SHA1
ca2054647b7b775f8344f5aed6599364fd1651b9

SHA256
35cb453ae6612b84ea4960232b777180ddd45e503b97e253a850bfd95115700e

SHA512
e809c03bc6c4deecb8ba0c722535159dcb4c26adb32ae2d9650ae86856d9900ed8b8812a216c891729f32fdd3a2aba340e1fe7c9f743ade058f8a387a0f033f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d430b925770a324752f2425b1718e88d

SHA1
2ad9f59655255c2ca50c59f18295e508d07a4540

SHA256
416e829c84cfcbf0031aa1f513aa31ca70671ec994859b10fc08d270e1a78492

SHA512
e2f6b6a1ec40fb2e8f23d1dc3018d1cba9c13a8401ff21220b4e52f92449ae0dbe2ded251c32f77f6978b5d30d0edb9a32287477ff6208711017a932ca8e45d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
2dcd4141da1b805649b67bceebba9106

SHA1
1ac73d45e5cbc98a6feeebba34544bd9b7974252

SHA256
d974b2913fcedc6a916e201004c1c1b933583286bd130c42f3b53e1461fe2955

SHA512
4581722bacf2f3a7d76eaf5109fff76188613e53dcfa73f08a43ce08f8623c663cfc6a8020e24ab224154ca25f37734e19462b2d67d97ce0bd9ba53499d99651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
195a6e77578f7a44f195a58275c8572c

SHA1
aec5d71db9d21d3a973f38b9a3597b43d65a747b

SHA256
bdeb8ffe3d85e232aa7f3db5ee78af98b867038a2f0822f9bb661fd5f989e1f5

SHA512
aec505abe6cefa2ce9b3a1d454d95aae7acce6bef032600e21aa87628f6a49b800f4cfe21966a9677cfabd9240eaa6e75c641bc753185041853f661551bd3901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
531e8132d8d3426ceed283ea41080780

SHA1
bee57a098e2a9d5bde700872694d1d7e6751081f

SHA256
104613e91973f18e38ba1f6616715a829fe865a9122182fca793b884d4182d8b

SHA512
ee87d1f3123fe65612ce0fdb068dbd14e55294f54343ec9bbae1a90e38768404e593a5ecda2bc37c701d78fad0ca58464374a8d8249727fd2e1880689c88b0b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f201.TMP

Filesize
874B

MD5
0d4253b4c49ba63bb2dc81826ba016af

SHA1
115e4250ec849cbab13a36b13f244415538a2f63

SHA256
220c30d61bacf458070a7b482bb6243b4f3e7d16f8ca600696294b0f32fedd34

SHA512
92bee4ca303b6a267fe0f73aa051f9f5cd92d5bebf8ae72c2cb77e4f3ba558f3059b2bf75a4f785cce19f2d7609d5c92faee74659ab5d3d4414f22e4d07de194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c9e939948857349ddeadd70031d391a

SHA1
0faea1773dbd4775a0adabae84c8c3c6d3ca0fdb

SHA256
fc6dd559372e3db702908b11053998021f94b887a295db568a9ec46673e048b4

SHA512
a44aa1fffc8c831f4926bb23f6d28768e7b09d4e0108cb709590c08eb0c3c27a9cf7d9eba5e1166c02fb50df951d9e771e4db09cc1208c65398834ceaba93a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
756ab9377838a9dd7d580a453f91c5f5

SHA1
16cd60cd4c9703ebffc53fd1fbc6cf1d49a9e7e8

SHA256
d7d42ada5a7f77fa20ba2e2462fdbcfbba081568836decf23ec9db7c4d748127

SHA512
fdd9d4983df6566bfd5227395e014292442fa4fcb8411a61ae66f9c0cc26ec8d5b14308df09f3735ab952b899fe1805ca54d7d5a6301cc0149768b75355bfa82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab1b47a1d4bdb7e450f2a923881a6095

SHA1
3209ff42b52f0ee529e348c1d74340cb66c02a9a

SHA256
44b0c2a51f5705ff3fd4675d1555f5f53bdf947505fba234c49cf4839c834dcf

SHA512
41441709ef6fe9f26f552f1916a7ffc6ff6a485dde18c59fb687c481869684f49fdfd82fe2e5983471ecd74c666622655637534400beaf7962f7623520c6beb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cadaaa7ab4510bb7e4f1dcac96aac51d

SHA1
3b20b0754e9f2ccb15324c36ea5b9b594cf7ca0a

SHA256
d692f9bdd8aa67b9b4d296c25cb4afb8aa2dbf9bbe6b47188602d5ec6869f43b

SHA512
5fe75995aca541edf6f909a8b1b8af4d0e7a1195452069ac702ccc4ed4ea7d5e429a46746d28f276da58e6c36b6d4f1e567e96020598e512218bb127e0247658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b464907007e20d11df35e642d09ed756

SHA1
86451e5225735de0e8f6259dc919bc56fdfc0dfb

SHA256
9059b539bce358a90e307ff076c72646595f2b19e99ac6f6de41517d159eda84

SHA512
5c3e012c4024c7bcc7e94eb935f0c60b812d6583f41cc0ae4289989360b3dca5c9a8b7830a10736fb4e398b49e133463d99f7f329088110dfb9c57da08ee7d10

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
d56b247726cf9bf5cb8fea477780f77f

SHA1
bace40e49214a48ab01148933268daebd4d40edf

SHA256
b9f8e5690de7c4666f9e7e23f3b97530bf5ea923620a5b5ae0ec3b1256894303

SHA512
159c5ca7b7de6f5e31577590b81ee985d3c56178532713fec4869485cc243264c0fa183be6a257c48b86d2644e451543c79c60625c468212eaeadea717c8f599

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
7820692ebe7dc9936c51ea9845b8b0cc

SHA1
f65642eba33642da57ddb1911d48315c2be14e4f

SHA256
c17ee3ac794fdbb054b0b9eb57410015c672cd525d33400fc8a142f7aa9c0951

SHA512
06d6c86442bf8dd4c42e0dab655de06079bd9accf8b5c520c50b406657891f75ab13ae8642bb6f0492223a610704868a126c4a09e49ba3b0a4c4ee494645fb59

Download Submit
memory/1004-609-0x00000294C7540000-0x00000294C7558000-memory.dmp

Filesize
96KB

Download
memory/3016-204-0x0000000008C60000-0x0000000008D82000-memory.dmp

Filesize
1.1MB

Download
memory/3016-194-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/3016-193-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/3016-192-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/3016-191-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/4456-210-0x00000162EDE70000-0x00000162EE398000-memory.dmp

Filesize
5.2MB

Download
memory/4456-209-0x00000162ED720000-0x00000162ED8E2000-memory.dmp

Filesize
1.8MB

Download
memory/4456-208-0x00000162D3070000-0x00000162D3088000-memory.dmp

Filesize
96KB

Download
memory/5844-508-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-510-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-509-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-511-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-513-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-512-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-514-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-503-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-504-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download
memory/5844-502-0x00000208B72C0000-0x00000208B72C1000-memory.dmp

Filesize
4KB

Download