discordrat | 2f294b7dd8df80c19dcf8e338049f55787492e70e39eca8f8dc731b3c6addc83

Resubmissions

28-12-2024 14:10

241228-rgpf8aykhw 10

28-12-2024 14:06

17-12-2024 17:57

04-12-2024 11:26

04-12-2024 11:05

Analysis

max time kernel
899s
max time network
891s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

badassfuckingtien.exe
Size

840KB
MD5

264db47eec711ef618870219832e5dfe
SHA1

116d2ff601d6640d3fe24fb67492ca2c82d9bbd9
SHA256

5c8b1d9c70780e1e669b4b34b0e190f6a691b8ada42179e248513feafe5b9ee5
SHA512

1672cbd9273987fd2d3cb1f843e2e28bb4c107913e0d1562ce6cdd7a403ba40e1bdd05647f3d89b0b00a8dff8328c9fad342f1b771ee391990db6d4855d8ad56
SSDEEP

24576:9uDXTIGaPhEYzUzA0q5VR0cNnns+UrZtb5jpXw86qh:gDjlabwz9iVR0WnQZ5xpA86qh

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMzYwMzQzNTY5MzYwOTEwMg.G0k280.tlujv7Qu1u6uHZMDdDCuyzSTaLQITkGmfU0u3s
server_id
1312325986385264681

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	badassfuckingtien.exe

Executes dropped EXE 1 IoCs

pid	Process
4204	backdoor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133798687821485653"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
2532	msedge.exe
2532	msedge.exe
4504	identity_helper.exe
4504	identity_helper.exe
1828	msedge.exe
1828	msedge.exe
1828	msedge.exe
1828	msedge.exe
1748	msedge.exe
1748	msedge.exe
4524	chrome.exe
4524	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3924	chrome.exe
2744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	backdoor.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3924	chrome.exe
2744	chrome.exe
2828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4204	1752	badassfuckingtien.exe	87
PID 1752 wrote to memory of 4204	1752	badassfuckingtien.exe	87
PID 2532 wrote to memory of 2668	2532	msedge.exe	93
PID 2532 wrote to memory of 2668	2532	msedge.exe	93
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 2140	2532	msedge.exe	94
PID 2532 wrote to memory of 648	2532	msedge.exe	95
PID 2532 wrote to memory of 648	2532	msedge.exe	95
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96
PID 2532 wrote to memory of 3904	2532	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe
"C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffee3fa46f8,0x7ffee3fa4708,0x7ffee3fa4718
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8283614679709137874,17555240734554151220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:2620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffef97dcc40,0x7ffef97dcc4c,0x7ffef97dcc58
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5276,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5104,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5584 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4856,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5400,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3372,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3844,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:2
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5244,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5628,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5432,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5760,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1244,i,6801816091420418290,8333413043196633985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8b81e58e-19b6-4ac9-9bb2-8a9167a81b8f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
96dfc6bc9f2d85c1b0c560adb56595ac

SHA1
54c0d98c1ca90a6b41eaa96ca445b7faaba1873b

SHA256
b087de654b2b4153b66e28fec8541f2efae02dec9418adeece7f9199e9e5dabf

SHA512
c2107419feadc670337f46a5174b49a49a34afcdc38d77029e46785baf3281e1039a62f1aa519ce6a87d3f740d595ca43478efd718774411559d41bdb116ea68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\128.png

Filesize
4KB

MD5
35696aba596d5b8619a558dd05b4ad40

SHA1
7ecc1dad332847b08c889cb35dda9d4bae85dea8

SHA256
75da533888189d13fc340d40637b9fc07a3f732e3fcf33ec300f4c7268790a62

SHA512
c32f20865f736b772844aaa44572369e7ae85b9f2f17f87d61694acc54487309a32bc4830ed8d9cee8b593babecf728c1ea33c2b9588649be0e4f1e6ed7ee753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
43662fe1746dc19c348727dbd6235ef7

SHA1
689eeeea0989ec54448e26a37fb0abcc99ebec89

SHA256
fb7478145c0bf00e60493b3466e61c1d5a3fec8c4136658e6f2c3cba12cd0550

SHA512
3d40c38512a5b3185623ecc0c0b3704539370c5ecdca7c1c5c642eb70b6aa00a0eb86b56607f0261aadf1ebb56a4084830ec515adbcc63264fa02597d6aff224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
df42edf094e0eceaa5a70e5b44d83ffe

SHA1
86279ba08bf6179bb9721fa9a726b8703afc766f

SHA256
4a2e7c37bdeee2ecaece0f0cc39ac9e43816a9052c93394edc6631f3c577a864

SHA512
e2b0eb3d0c2cd40f9c1e83d4c4584fb9476a911825c67c25e3daf4a2e169bfff28f0339ae789e98e00aab4e33cddd34816fa145bca8c4fa7220b42af6b4281ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
79cf3bc8ae396f4176638bf26436054f

SHA1
8e744a719bc5aef219ea885e45dbec5f0cdee8af

SHA256
96bd1f2ca43fb302191bc9ffab8ea7515fa29c711c59fd3f9329b7e59ae8ba9a

SHA512
3f010c1290fd89ba4b98f7bd23768fd3b1170d55c5be3a1e2de3e6e91b16a5c7c87be2d7662cb1736f5b3219a98e6abf43315f4537c7c2eb04ad89c47d0604b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
636cf08716987d8833e2575d7af75839

SHA1
840679bf2bc03631cd4d62ebbe94a62d91dfd6ee

SHA256
bd92256c760443963e58bed5f1a13a3654d548d8132efc0d55c3af72547a24b4

SHA512
c9a157bc3c6868143dc62ad5d8330096f88ae009e016e87023dfc456b741239e021f10d5bb9f926673956c4f4e4529b253ff461835febcfbe682a35e4312532e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
130718c0bec84060598e132870c5d66e

SHA1
938ac3b6c7e43ae0f3d884776a8e13d32f40c7fb

SHA256
bc5d59901778d799474af5f06529d635473ce227f0b2808a3377d9bd69ccf8ba

SHA512
611e1b1fde3212272a341a72e4882c3fe86ee57c4e676e4df1fe26dacbe999fa999a156afb8ded49b84af60c3c2e53f716f61c0fe7b9d515fdc12447fbe11910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c1d3a7a7c4f1499da61ad84b2595bb5

SHA1
ffafd81f11403a5dab6ce0263251c35db2c56041

SHA256
6b47e34125117c5a4a3064a349a60dbf055510d69d47cb5031a8822a5ad10bea

SHA512
909bbd456401730ecd2aee0c668d3ebd6819ae7b19a5f7e10edadcffc6faf6c85e024d8acf1abb36350586d35229c354525051b585d7b6ad6bda09d4cfd7b1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
89bc18b918a9ab49815faeaecf6c1db4

SHA1
3d4acefc331df665ed9c27c70af770220f30604d

SHA256
46dbe73bf3969868ab0197ac429dc9084baabc4a611fb19241bef535e8f14070

SHA512
6ac7d61d2694a9c0435d46cbdcbbbe05237154e4fd8c090952e2ec240e95c84193e201569e6241dc3a1ad69e60eac9c66f1574991dc0f1123209d2e89d1f6f23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7200aee8981b5695abf210d0eacacea8

SHA1
197b3e2e740b8d2c4ae95185084215a78d529950

SHA256
7c271009a4777079331ba9533377d694c66fd0c30fd45d2fa7ac8abfb7c6297e

SHA512
f9360021e71695d803a5147bea499224e538a99eff8c04b5c85cd561b6c5287b905438919912601cd1e1161e97c25095e8cf0e050933591641f1100e7e0f50d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
979cdb839ee5481c5f3c8b84c33aca7b

SHA1
198c80624be04fa7d8a28d21a068bf9ff81b587a

SHA256
fe5ae5afc4014bade75ad07bef1ba923c68b2c385c04db0abcec9f56c9eafb00

SHA512
545b8d05fefea630c108438664703ad8f0c4e37ab0e2eed857b9e3a89bb5bc0e6fd19950c26f78427790554a20864dcf7f9e11aa8a9ef6afe453bf48e3728f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ef09741d2c2dfe37c0fa02a85f9910e7

SHA1
94dab3a49eed83c5b7d28f8559683b1ec9062ad2

SHA256
0b25531a9d04879a689ae78f50bfa6b843f2001779d3a627994237b06026cdfe

SHA512
c0c9cd0fee019ecb5d05aeff1bdeef5b9e4ecd96085ebf0f2d20e9a1fbbd4e6ef8d0d333aa86aeedbea308419961cc702e17ba46acf8426f2d009f2df0d50c91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
fa8fd6a21973a48802fb3cf09ade0ddd

SHA1
8c5675d6783ca4120315b5bc811b719fcf47e937

SHA256
61fe1cf42c999162fb41b06739b3b45011a2e653ad3fcdf97a62a4c1d4af1c1a

SHA512
6f7a4cf07428a2887f3c8ad022e6225729e3f0f1864cfd5e7bfb5f36e0376f0bae8160a0373641ac7d6da34430c716f718dfe9aca296af528e1bf7d33c25e636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
126KB

MD5
bfc3afdcff1eec970e9fa167db1ef9fe

SHA1
8ea06a2641ea94ead1766dea871cdc2314647ef7

SHA256
ba64636bd6726e8203dd087d2e09636533b4157f9f6cefe7cb7ab770adcbeb0a

SHA512
83fe19934c7085e1a6464ad5beb84516b59bc59aec26fe98f645e634fb4a06dd8193c44c91855b47fb511dec49b9a72ca78d7db78665e635aefef1910164a3f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
109KB

MD5
fe524c9c559bdb12d8934d3824313ddd

SHA1
47acc54cf45590241ce4fa071c774faf0e6e8c8c

SHA256
7cb270dcf2136103f2469b86bab0bdd82ea9b7f723a3a6edf6451741eccb574c

SHA512
bc9254c438cb5f2346d0cdaf41f208fa0e65205642baaeadc31463a57d8b1d756a90561cd03984a3a7fcfcb3051a3208cf4ed57aa2d78fc2cd3dfedd4ee8898a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
105KB

MD5
b271c5a736b83ca5319ee5883c846791

SHA1
ab7ce96343af2e2ef4ba2ea7984470f18990a74a

SHA256
abee250bb3d542f5c30973e4dcf0cd95625cb5766c7c42c7d74c5c0ad9082b35

SHA512
415430fa16c50099c56ba6b25e5812d5a3fac00c0577fd0313cf27a38724b71eb4a326c21edb33e51c24deb670be61345208bb54fbe3147877e5bea90997a253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
584cb1b902d5682e1316f60331362fe6

SHA1
e7ef8507abfc4666436790da30149303561e2d87

SHA256
ba35740897bd5bfcc49980530c117900ce3c4336ee27584d5fb1903141c80801

SHA512
941b47fe0ee3bdd5478c6ba9e5fc51d11bbec092f23c2bb5b360151305f958d2b108b2f4fca9da079427649f95799a5b239148e7cef008b08d5156862fc04acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
9b96995f824afce1b719d9908b764ea4

SHA1
9a9948ee6705ad361a106743aefde3da5c861d5d

SHA256
f8046f435ab779fb83e0ccfc1ba20bf6265f850d2f38dd3e25697f3c00a34335

SHA512
20d20c5b6d34ac6a574ae01c1cc2b32ec0fb091524ceba9ff62531cb76da87767def8fffca39572cac8049a80c04177c3a7e1a13f7c6f4571b05b5c1e814ecc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_wormhole.app_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
250B

MD5
37c4a3d638178c184e5d66aa38d15ef0

SHA1
090e547f6c8c3f75fe82d58a5c7a97341138eb10

SHA256
ae447ed2f412815b76a25218cf8131bfd1a78dd292feb6e84707fa1e79939dba

SHA512
fa1559372db5a1de7b9b484666f86ef1905beddd1c59f546c150bfa95c27a3f89b0dcb94cc42ebd3bcf50871d7772f2ffa4188634a9397fbb3e7e3e487b4e585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
540B

MD5
ff8d59de4d7c86a8ee721a5a289687e1

SHA1
6ad6437b7b0eb40d6db371befedd50b6ed71abff

SHA256
b46222e0ca51567381551e1b26e2535c084321df36067619a2cbbe2fbde4dc9f

SHA512
63a04eda40e655580904b8cdd07d5751d25bd39b3ed904a2d2ee144dff895ffe5f32b1fad4a230906b48bb63f6df6edc07694fb4525ab05b7959cc8964386d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a39bb6512a49f807073f2074b268cc8a

SHA1
2d40e2d8365569344e5855fdcfc9317a06de96e7

SHA256
8ed58532a892cf95f1646b9dcaa24419e53ef420d4dfebfb86cb4f999d8d190f

SHA512
b31fe08bb96d3e0f3207e22f630a64ad7b8ba698118e6969f288b5ac8ea9918c1db08aa47c05d8c482fb55908646fb32e1c83b4913bdf7455f3bb0a479574959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
48f526beeaa25fa189a8e5620cb1a801

SHA1
2c0be1b61846c6c503dab3dd56e6a19a94e41e2e

SHA256
c7bc3f5f4002c7b06bbd6938a9807167ffafdd1ddf565d231eee77acc9d2146c

SHA512
9a1eb8e210e9bfb1d9fde326690a8856a6999d108667e763390fc8e28bfb586172cfd809a7f3bb2a3f4a1d45ffc5a1ee6d8219354ce0547ce1c73e2506a96053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8c917b257b8823babb1883e9276e7194

SHA1
446449c578ac9911a10cacf040b6706c1fe936fa

SHA256
20217e11888b6c1ee31c027ef0525823c49f661ef47fc91a2cc5a4afe7fb85ce

SHA512
489f5e425f7cf1867b734d0a35fd2c840be6f7a4187a1ec4d5d059c8a63264f2646faa6c6f97e175b0837a3b13923ed1452730e75e346d904d5896bb57be054c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f2e7697922366dbaa2e8f777e8b616e2

SHA1
6829074f08f3edfd68ece17897add2b775e00e69

SHA256
ceea22cd12f98c4bd0414039e79bb02bc59312f80494eb0b709e96204c4f6686

SHA512
21b81913110b2c1c103f6ab300b2d6fdfe3cc027127061786055887e1fd9aad7a16d3ec1b035a5832d65a2b20da11c2a46fd3b14dbeeab9fba1d2973b89e0d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53e85229d3fb8cc5c5cc0b961eb13796

SHA1
0e2c9ce11c503aa1be21f3e9448bed2df6fcc909

SHA256
f65b753901908ffedf58c6f867ec9cc47efa58e0d6ef2018b305b159ad7173bf

SHA512
e9c5bf837bb89bc43c1af0884b7d871bc06a952b84f240c483182211b26c1edd751c38cf00ff53cad2523a45abbb3743106ab7d51b56432cacd45b181af0919a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbfe3c8a3e5fd140d10544e0e59ddb6e

SHA1
3e9d32fc691947ea90d6cb032cb8351f4fcb9611

SHA256
617af4967780a18e0923c9d8c6cce3c5d265cfb7fdd666834016c609c9b153f5

SHA512
6193ea0bfb1472e9396f49a14de8adcf924f3c35ba0f813d98349bb1728d28779f32e6aae80783e7610043b9cfa8c613ee7606db1ae049eb5d090db980bdaf57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9b58afd04d31440f6b5f4ce87f4e5415

SHA1
57218d9c6cb7cfb01e668c0ff30b285b5e53ed80

SHA256
9412c9c4c0fe05e304f8fb079549b717b72dba76ef7d4483f11d816c24aaeb5f

SHA512
e1e9cce43d50e95b7429b9c8f4f3e6799a1e53bedeb935a9065ecd7eb71e8b64d32c95edca1f5a8190143070d0aafef25a95d75a1a3c326b02a70c8c3f96e198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\e1d70958-fc22-4583-bf2b-7c7407c1f73b\index-dir\the-real-index

Filesize
72B

MD5
a1c77696e4a99acd6e1b2102d61c1da8

SHA1
b5e704e1c780924dd40eb61007dfa6bc2ab3543f

SHA256
de5e39479eccbdb9b06a7611c7744736abf15c3a92180de40fb55b33d3f0c136

SHA512
8882b55e3db3a9328ba310178d00cb250ff4600acaac002d4b82da94a68665a86476d45d8b18cdc695d67636587e8906aaf2e2071ee01fb780995240b0832d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\e1d70958-fc22-4583-bf2b-7c7407c1f73b\index-dir\the-real-index~RFe593f51.TMP

Filesize
48B

MD5
bf586e083bc9033365531ece1b631acb

SHA1
ea37dde722d25a1c3c26d4030abc6bae5bcbb7cb

SHA256
c33b935507ae2c6bcef8bff27f5dad1002cb44d551df43136984161bb5c84fd4

SHA512
4b24a03860a455d26ea28605b8625b8ab9743140e142ed52287c0d2ae711b5866a522a3aa031701d12a554f04de40a0289f56e3178e80bb018992c93f845c94b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\index.txt

Filesize
82B

MD5
0ef2d1880c3059406b238baa7900e87c

SHA1
8d7d0671ca578a30bc1cdbf86c2c0bfe2f68b2ce

SHA256
bb8c9b03649780effeebc0a4eb2b5af6ba13f1ad68d0dc15bd7caf85a16363b0

SHA512
4937884a9b46ba7226df9cfdf33869a95f99b9f0aac2adc5b9c59be49078cb3b63f9f41ebd0939e1fc664266575b1cf2ba4b8acffbfd9ef6a6185c267a297347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\index.txt

Filesize
88B

MD5
ae5f0791ca91736c3d0e090b47d5c8bc

SHA1
2c3948334f42c7145a91d18fef76ea1bf0615613

SHA256
b97a35650f7778ae6b8201e60d731ddc1d28f4dbed39ad67f044376899d430d7

SHA512
e3a8a4ccc4c429aad70f433e2198557175f1b6c9090db07b3b2aac629634a4606c64e38b83a708c8e57e652b4de3a69722ea45e021249d90b0c675a50ab9872f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
16KB

MD5
43290705612fed4c64378f87fb5e7e1f

SHA1
696102fef5288dd64b4c113e5c0e303a34d8ec77

SHA256
dc1ae2d19ac5f6aebb41c59f281e5dc45c129d7c5397b6f3d2710b515c1a1b28

SHA512
2e0abb32155628d2103fb0c632d64e72210583e18adb079fc92fe5c51a1fef4448f9984303506d9bae188849c4b4bf475b4187af18f7b9d2953470fa95225e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1eac84e6191b49a33db0e71232fc418b

SHA1
bc913ad5eff5f16b653ec9970d1dfc07ee937100

SHA256
5551a8a79111f6825d2f97cc150dfd8e23ad01fd4ba2ad88c451a0616550b1c3

SHA512
71e06b1982f2472b0163c8e6d62d2896ab8139b9551cb14f81547e75cbc7ce3ad0a08ee88e722b47a887e4eeacfa4a8fa769b7ef57fb35aef073d80592813985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe593e47.TMP

Filesize
48B

MD5
a221cbb6862a294dabec1634aae31142

SHA1
1cdb5bde8d438a3ce7a161b111fc0cb1eac5bf9f

SHA256
7538922a0e6cdb68a2e1caa56b7e68a40d654e2ee4b58209bb990afaf2874ed6

SHA512
fa5d26ebf7e905fc52ee64dbfb2a5d51075866a2c858cf6133234c949c84264d0689ecd4cead98c3774690c0d87be7627b92a3157c9249f453214c601eab6886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
23f25de54d1dcef00bdef0e84d978b30

SHA1
702a226318a9598b101cec82a36bf69b1c9b197e

SHA256
423e9721aa2326b861b12d240c68451de22358b4059c4c3437d0f7947ef2e1b2

SHA512
4788e1379c479aa2e4bacd0a10b28e519bca0736d3ad316ceae78062700ecc42fcc372217f3362081c18b8c7e358f4998db542494e743a2ea74cdb091ca13dc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
e9035712281a9873979c5ba647706c84

SHA1
0315411de5409ff6bb41fbc860a13e47624db343

SHA256
9bda8d63e8cf86dcce5aac322f8cbb93640867ba545cbd7270e52a66d37142da

SHA512
2256cf06ab7f69f346fdac335fb9fc0f2c74cdcf73b5cad5c5d85fbe9cce95fa81478d98542a66255aa54539573cd476b99dd3356bee76edb1df6c6fd5469950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
cd5ebaa3eb071c1cef7d2252e566ed77

SHA1
8207808b543b4a7207046327a3642ba2d579b680

SHA256
1bac877c14e62b140f2d343a611d3be01a3f02009eb45f0fd3a64d37e3ab017b

SHA512
e93a74af351d4b4fb05c975fdf53797d77bf380487dcbce47d7e58aae33ce6ba60b0838fce1fa9e4e91b7b3f370995c5a9a76ffdf6693d30109cbd1e5d5c69e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5956d1.TMP

Filesize
203B

MD5
db03191760f813d39ed9c47cb21f0ff4

SHA1
573b0a7aa92468adcc53529d21360f548d21a729

SHA256
1c2b8268382aac0048121ce1a856b44f8878903c67f83f3d19f8c2979940ef2c

SHA512
adf8477beef67c32d8e4f7b2f27e0b044affed4cf2518eff3455de014bc5c38df4aceb56f1dbb571b9025cde621758cabd5cf425eade440f08f34b80bee241f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
168dc68271c59f668d277e5e1cdb79a6

SHA1
88269a0b5e678b04f1a46338af007b021dcc351c

SHA256
9d3049c6fb48b3662a96d21166e3399ee3ac4ff3bddbe682dbb4cb2152458d7b

SHA512
9e0a8b272416c3c5619ef5809d0e8696a2bf00a2ee56732d771cf3aec51c7d62baaaeb2ca5033d64d55acc449cfb473d0913c7c5ab169904be55b0444e7b319c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2cf017ac1998f1d401e8e3aad073826f

SHA1
fff1dbfcb6a58df1b847612e5be3f894e2d54494

SHA256
e8e96f55dcbbe222c50aeebe70bd3339beef1297ce79e26293c57741c2a8db9e

SHA512
1399e4b2a1ddd71fb2f7b2629850d3f7544671217842f5e10607c0cf49a7ff911c5147ff1deed785bbbd80ad0fe9709db37c873a17099370c198c9bc66968539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66b7864844ee29a8712c8a97bfc1952b

SHA1
342b2ac73ebff56689099097f8ebfa46030a7b78

SHA256
2ed2234d5d2ee52d3fa3311b7c6745105440e781af608e4aa84812ec7120257b

SHA512
87bcb063479cb02d33b6b1fe3231a00a63821ef7d08c3fde61a92a533a330311dbcd3c3e6c4c22277639778c3fa7e49f0dce92cde9419534f583bfa0a2cfddcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
83584a62c33baae3be8b48c32ae4acb6

SHA1
9bb68ea8bb9f2c2e54d9a0efff4a66a512ac90b5

SHA256
56bc5859994282eb5b672c9b27c2ef7cad232af34c9033077a949b04d6c55c58

SHA512
554caabadea24ad0c2f0e1c55632d76b12e2f19ce506f5dffa39f841e35d263bffb001e2f6ebab043070794f97f988802e3db086092e28f262b36569ed8c7d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4524_2101519567\275fe532-cb2f-40ea-9d5e-9c93bd5f830f.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4524_2101519567\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
ad7ffe63bb9e0b23f7989236e41384bb

SHA1
afbddc8dddfcd47431a1a56e557baad67cc2bb0c

SHA256
77bbede8cbf83edb3cb0bfcdb8e8dfa72299aba399a7dfbcfe0a3e4f48b7d1da

SHA512
7886582d16445167be86d31e945e00baa7aff9992b9d86049b6567473f0ec88f96eafce7adcb4949f0f5d4e3e3d05d6072c7c61205d339655f2099e1f9c24b4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
f5a6a77fd028a2b2a2c5546a47b1abdb

SHA1
505ecbcc8670fc5a1b6108ee193ffe669c5ba5cd

SHA256
c073e0546cee09fe442eb20fc8317d089ee69141d9ab40e8da4cec8a1b6f00f5

SHA512
9458841631520b42550cf1c663dae790cd9706a48c542f643a2f26a4659bc04540c16b2e75155a2e32c3044ebaf68422ea7a6e22f6cea6dff3743794c0201923

Download Submit
memory/4204-22-0x00007FFEE9000000-0x00007FFEE9AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-21-0x00007FFEE9003000-0x00007FFEE9005000-memory.dmp

Filesize
8KB

Download
memory/4204-20-0x0000016BA4E70000-0x0000016BA5398000-memory.dmp

Filesize
5.2MB

Download
memory/4204-19-0x00007FFEE9000000-0x00007FFEE9AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-18-0x0000016BA4670000-0x0000016BA4832000-memory.dmp

Filesize
1.8MB

Download
memory/4204-17-0x0000016B8A050000-0x0000016B8A068000-memory.dmp

Filesize
96KB

Download
memory/4204-16-0x00007FFEE9003000-0x00007FFEE9005000-memory.dmp

Filesize
8KB

Download