discordrat | f5bbc5fd1993c00aad0e04cf674216b3eb317aee7a1208aa99e3b311f60624c7

Analysis

max time kernel
292s
max time network
296s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-01-2025 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Notepad.txt
Size

339B
MD5

0f278ef649c5620e8c7def1f71069864
SHA1

a8743791baed7c850bda2df340730c806fdcf66b
SHA256

f5bbc5fd1993c00aad0e04cf674216b3eb317aee7a1208aa99e3b311f60624c7
SHA512

fc8077702c179f4b909a67e7f0b59d91a621c70d66ca81a587d64a100d8508e1fdd7835b3a25a157b823e0710f81928981b27c96f6b5e27e89b1ddb8e5aedd3a

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyNjY3ODcxNDk3NjU3MTU1NA.GZJyNO.rnaMtyJW5oYAn1hH52KFI-MXmTfJwgK3xvu2bw
server_id
1244454499527954453

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 3 IoCs

pid	Process
6076	Client-built.exe
5728	Client-built.exe
1164	Client-built.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9b2da9a7-e3d4-4df2-850b-129a46f547ae.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250108224410.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808501059875363"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5264	NOTEPAD.EXE
1212	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2272	msedge.exe
2272	msedge.exe
648	msedge.exe
648	msedge.exe
640	identity_helper.exe
640	identity_helper.exe
5156	msedge.exe
5156	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
4624	chrome.exe
4624	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	6076	Client-built.exe
Token: SeDebugPrivilege	5728	Client-built.exe
Token: SeDebugPrivilege	6072	Discord rat.exe
Token: SeDebugPrivilege	1164	Client-built.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe
4084	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 2040	648	msedge.exe	94
PID 648 wrote to memory of 2040	648	msedge.exe	94
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 4384	648	msedge.exe	95
PID 648 wrote to memory of 2272	648	msedge.exe	96
PID 648 wrote to memory of 2272	648	msedge.exe	96
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97
PID 648 wrote to memory of 1484	648	msedge.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Notepad.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ReceivePop.mht
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x140,0x150,0x7ffd512546f8,0x7ffd51254708,0x7ffd51254718
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4376
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff79d365460,0x7ff79d365470,0x7ff79d365480
    3⤵
    PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17023883455689321263,16498152445966264585,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3424 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4752

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6120

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4084
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\release\dnlib.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5264

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd4e4dcc40,0x7ffd4e4dcc4c,0x7ffd4e4dcc58
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5376,i,1821946931375775122,3909738793702099096,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5388 /prefetch:2
  2⤵
  PID:4968

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c51a3f4906f9b786e6d8a4a826611c77

SHA1
7e3b00012416bc2c5ab3a1380bb59e7870d3dcc0

SHA256
65423ce452a12b9480520646ac3a39d7c1fe99da3bff3e25e865187886ac54c3

SHA512
beb6a9703fd02d88ffb38d45b58e3b47eb3a66e701f04d9c7006cb647e5e76a8366ce7be618bdba25f1b15d4f14872dc0a413bfa21940f3c1df475ea876d60b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
65942bb06ebad1cd212fc105f76c5cf0

SHA1
6740cef8211d708cae99f19e310b2f24f55336d9

SHA256
b3aff3f5ded531eff9203677f42b2b4aa9111cb1401ea1609094e12c37de4e8b

SHA512
a7dfc94b3b7a632629cbc676000473f7848068575ea135571fa8c347d695976f2ae6e0c3871c7fa0b0f3d1d985bf7ff5350125884feae28c02a4c01b56e61572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7f849efef0c70856b752089e4e936106

SHA1
df06d94ee2a60bc2b7ed65daf2cda91b0d69d5b7

SHA256
72f4da3e964945e6782f4ea897f1407698c95c1170efc51c43669211bdb3b391

SHA512
13bc45daea2374c81239ce39c1bdd8008c7a2174f1fa4ff38f834f30ae4c51a081db3f0bbf2c885b05352137328145e97a714c2a176de165ed2743bb1c32ee69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbbd4bc895338ba90aea90aa03ff0498

SHA1
ccb7f03458105a0c9e7342a14876c3468befc15b

SHA256
d97f9ec09449b76a8946f7d4a910cb246652d4d4b172e7388efb8eac41d3a13e

SHA512
26e6991ee74b849224aa104690915352c4e3073e23f6cba0a2d311ec0b046837b4be399d5e9bd244bdd398e5bb62b5f983986e74fe16ad3b33b6b60c7cbfbfe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cb5a6e71d923da62395becbaa409f221

SHA1
aeaaba992313e9fd651960a9f783582c4162c69a

SHA256
3b628c1389ecdb4b33e59faa5e08f025fa5f280bb1abfd7296a61efbac8d7f3c

SHA512
3889b3fd67d4b1f9257ddc1d623ea6e59bb634ffb0aa7e1b6848f7c89be7105374a3d5a9c6f427e1bac271302f6430e859900d0ffad60d889f70d3f60ae81c4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
dc2cfa568a3ae86e9657a37969e1d5f8

SHA1
7e3f64669915bc8c766fb9985812ceeab3cd8651

SHA256
d67233f655af706de3c44b5abe8f25015584d9930a36ea293128481783c1ccb3

SHA512
4d5fe86b399cf129bf956a82028454a87b895e25c488c6d7efebead410b2d31d70b5fe990cf9de5a860c502efc0f95900c972f87e0b7cb8c3cadf933a72d69b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
17c9e6f05e01adffc86489c118c80a17

SHA1
5bb318e4f110bb67dcc840c15969cb6160c05c38

SHA256
73245a5ba7ac26ca4c98c7264e3f615812fb2affb5fe3a6772b5731a7fdca3cb

SHA512
c1f9863d42a9281f572f68eaf60b00c2d936f706d3bdb914dc6445a465a9f1f52130f173e1adc7150936c65324c0a861007b93243cf3abc2fcf644ea607e5199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
afb5f14ba222452872cf5e53e7acada1

SHA1
856182cc7c4855f90174a78279484ef98333e736

SHA256
09a67e090afa990fc5d90d0f697dde1dcca9da9fe10f44ee872617f8ff2d3934

SHA512
f0fa541e1fc7355cdbb8b5efc45fc7672034f92e618680b6f8209c2c0ba6b403bcd8fa3bd6b5e66a4ba0b5027477171aeb15b315044bd274fec7290846ccd642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aee441ff140ecb5de1df316f0a7338cd

SHA1
82f998907a111d858c67644e9f61d3b32b4cd009

SHA256
5944b21c8bdfb7c6cb0da452f8904a164cc951c6a4bb3a306eaebcad2d611d67

SHA512
54a2c1d4c8791ebc6324c1be052b7b73cbd74057d0ea46400cfd8e60f9a884ade60d838777eba7001cf44c924f63cba1a9708a6c71bf966f63f988c49ca70d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
821b1728a915eae981ab4a4a3e4ce0d1

SHA1
8ba13520c913e33462c653614aece1b6e3c660a2

SHA256
36c38bde1e74c5ee75878f275a411e528c00eaa3091e7c4adfa65b8b7d28fb3b

SHA512
b8fd54808711878ed567f474f174db662e2457b6c246f625e148944532c70d94d87e96ef6febfb657895dd0eadc25906c9106fa75c6b2d3bd37ca6786f03a8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
156062187a48d416561e78643cdaace2

SHA1
7b6aeb2fab1c41b28ff41d8654d10388a3d9d4d5

SHA256
dfe064b1adf68977ca37ab9ecb64ea5f94e0968a0dbd39e81f808292cc04e301

SHA512
bab118be22e7be4eeeb8822151ffe33035e677a5d520ed37c4f2fe305fbed39f77aeee9b256a18ad2e8fc07b6e751b6d1ed054ef203d844a2e47a2341f7ded80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
2a82e0a6e2f660be76260b8266eccc84

SHA1
8ce3d2bb2262028e8f97babf125738f3f4de6041

SHA256
30f24c6a841002ef4e529b6b67d9730cf92f4c05854ff1ea538a198864a03351

SHA512
443bff24423c5431ce579e2c5269f4ed0eb3e49e6d199ee33258030fdf04d5b27d7fcf9a46d6f87c60355a2445609a1ea0ba11f0f063a61a00fb54a1cbd3749d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
759B

MD5
af05b066d140d41533962e3e9f242cec

SHA1
e8eaab94950f97085b5493e7512e18ed77c25027

SHA256
a17fd621fd13e449b2da67f4bef266709885e6877dc644445dfe5c3ef1f5181e

SHA512
fc73c261056b45b0a6a88fad5c7c5d84883e8531d911596cee3cee4f76c2a3450e01f72f7bff756abe9a4ce4d5462ce5678421503f317fa30a1723b754f84b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
759B

MD5
f2dd90543934d5130714c0e3e134888a

SHA1
8682ce7c4d12e39353a8e025980ee6099afedd94

SHA256
228399692e4f054fa736831deb5e08010fa13896b7b8f1c7b735c14a8a9b724e

SHA512
ed022fc75d2c3f5902bc2d943c727a93a035d95f0ad6b294c06c0e58006a4cfe94ba03ad8b34c4872279fc4e6b75a72ed1dba26404616464a09e5a3a6bd8f50d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5912b3.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
d3d43fe81690b9f1291b1de4dcf5b05d

SHA1
3231c4cf6591134b603e772f0a840c893d599087

SHA256
236f683eec1e928bf736d3e5086a86948ed5f36777f06bbf0836b67db31da17f

SHA512
fb9803e8cd6f2cc175be5662d0bc5ef5a9423db3789a6c812dd44e44088ac4eb7847c051dfc865b6bc3c3ed04d827e86e5669704b2c04cc435b52c16526cf4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
edee9252983c7e814896ed45a54303ce

SHA1
5936798a89b3d7873a71cbeed4399afba243f1fe

SHA256
970d9de30d65423e0cd9ea9018527f986aa2308e8608fa946bb9460f14adb2c8

SHA512
642403ab81e86fc20153316fa4d6a2685d9a8251eb1887bc9f038daf1c7a915a09eb9061306ef2500bcb5147350df5b43ba3e656ac9816103d69f8cf412a9b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0dbdffc176007002052dc70f5dc18044

SHA1
ebd4609055c66f14bc8424a7f65c66b808d1f7f8

SHA256
09ce95a45edb9da40404eb317d685466a9d2bf85f5b5f10003890ec812d802df

SHA512
c0e0b4ffdb4654e4d2f01750e80baec53c9a7925b509280b7039b53a21405bb103467833c3914e7e02f9212eee3686be4a8a1a36fa06549ba656f601a3d2b3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b410112389bea19bdb1a4e21c306944

SHA1
3756e14525682de66bc42119233e79ca7a24ad35

SHA256
675e4825c5ff3d535e52a6398169f8034e90c61c5628a488ec335a307455d2cb

SHA512
398f2fa77ddaa341e2b6110af861e678e159eea61accb0419e4022b3c93a17beeebd00c661d5cc45e2c10bb6c6ef6dd7434700231a97ede0db56a31390b424ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8ee5b63172e982adbbaade6f4bd8765

SHA1
f62541e6dfdf9d1a9ee1d8ff7d8b934df8e3db59

SHA256
67772596ba77b1d953a59ada42411e1d0ed1577d5a6cb229069b3c3b8e4aee9d

SHA512
fb40e37ac6970a41e715079b03e86e7e59f473f9ab62b572f638c2c9414e591eca3986b58b7f8cb85a22d7d6613d579322f453641d6645e8fae1a46b63f32c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
40054cb73dd68fcf513186a36e7b28b1

SHA1
782f64c46affe72bd6b334c69aae88aa32216b2d

SHA256
136f61f0d620207ec049ca6889378a9e89d998a6ef15fbd2a8095482d8d88118

SHA512
8689097b5b94b64af0be6b51f176041b25f5464bae229b7344df07a29893d5f13498c3f88f6448b956baa7accb460e31f5ffec6eda35f31b0587b5b0a1e63c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
729df10a7e0b722edf6673d36f2040a3

SHA1
d082d92cb6eb8c0d79c9ea7e67e8b4828c5ea02b

SHA256
e2c498352af617d6d1106ea4d53c59fadc993a1f432068307250cdd0be68f7c0

SHA512
1619048945ed9b48ab2568dc546adf5173f2c60d03ee74f4616c3ffafe7182052b760feea19ce288799448c0f613b5e5592e5c547417fd7705997663439e3270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
84bcd0be65c7543e3711055dfa3cd152

SHA1
a970726756839c25233d6cc77e310ef61203a86c

SHA256
1537ad4afb4dea3de2c28d0f40ed353995bd808d4dcb51d013e61cb2479ecdb0

SHA512
b2b729da5fa8b5892f32459d2f9a03fc829194819c0384f88eedf81e1c910d5dea56919b45e755c2d354fd465afd35714ac1f2e49966ee7ea94cc8a84d6fce68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585b5a.TMP

Filesize
1KB

MD5
52d45f34b8996d82a42d62081aaed730

SHA1
4a5116ea60ac14125ae52edd757d6fd4029a07b7

SHA256
39020010b266d2f910f4c8c754536b5532503b9eca806daf5b2382a415372e07

SHA512
18594138fe25b48520fe8320eccb11236bf59317bbc42c53f3ea5546599873a30842ee4a4e64db9ad88c09adf3368b9d1238ed19344f56a2359a1260c7d1a680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0d6c1ef960a227152075f81716ffc011

SHA1
fd322adeebbef061b9e4dd259217f2513d4d86e5

SHA256
fa1e576af836c35b6493b0900e3afb7463f7109a4ba6ee6f2c0b8c3c901dc195

SHA512
53938f86b7b56084462b7a6aecc4a6453d7820f5bfc8f1ba39872bdcc80953bf3e8dc0e1910155fd8a95a406afc3d967d3c3284102af348338bde182b47aee6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b8c62cc2867a1ad620ccac776d4c75c

SHA1
40e64f702d4ae9194c8b80c57085c9cdd1ed1748

SHA256
e3a77b55e8f289a3dba9356b8606442ebf7ef69820cea8ce776134abb9d1368d

SHA512
7f9ee7bd2ac3c8333bcbb2affed6391b6eab233307c7c2fb076a8f40da4efc457a23e0b9be9b69a3c8c214195e38f0d5bb3cfe5ce459c3e1c587ba3fdad5bb5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a89bf787d9e4b63d904834ea48ad0099

SHA1
b37a9c06d87881f023b1ad03e0ae3005f00ead05

SHA256
e4b99aa73f3a0616e1ce7a43638b9e61f7d023a79bac64aacc00b2d249bc86ae

SHA512
020b57e6e9264412ad5dec794bfd9b619822d0d3bfe3dac5651a66a2c044c341381eafdd54ed34509ff3104a8ecac521766579855e8ce3ffbf3a121ef41538bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3dcb24ec0105361b99f1e7a182d58333

SHA1
ad3b78b14e266729bbcad1c6e49d5bc5466c052c

SHA256
f2c51b5bf469c4ef5a893a4957cb61cf7c99db9daf236cadfe1f4c51360dc1e1

SHA512
bda865633f13e3e39ac1c054a7211559d9eb60c87cec554edc4a9f3cffbd7a03f78c3e59e30206f6ba622ab79b88eb5f0a7e8b78b90ad851714ff5810ce65abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\96049153-f8e1-486f-8588-fed0e6cd5f73.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4624_1823680489\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
a7d3cd9c2f412e79ee15b58fc451a678

SHA1
5cc80d3a9fed28896e6a9dde83fcfc9b7902de72

SHA256
5b9ab5832a7c88159745048c2dec264b5bf0810fe1d3f66429aa64be3ebbfcc2

SHA512
79d6d0bad861ad10742850aab2411ec7ff710fea3fa93927e75716d2c71632ac31c9faf871d26ca4cdd0ca61b331674422413f62c5194979fbe64e32cc6afa71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
a4d8fc4db8cb4bcf4f71545d1f89a820

SHA1
32acd54fd8c6d51336e19fcd9d1c80932bb7fcaf

SHA256
1861fa3d1d8ec44318ad5ee0f6b6d6494195d67f81c781d0ae8e243e60e1a1bc

SHA512
7bfd48323afb08c61558f4f6c5d569b783d147c1d25417a4d17716a1f07ea0902a09217db56c5f64206f2a95ce50d1e42560a11e4ac2edefa5c8d647a8844718

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 98533.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
b21ac2f73bf4ac941ad1e17a1c5131d7

SHA1
17ce8bfaa5774f432cbc69de10fac621fc79829b

SHA256
791a9fbf0fc682690bb1ce3392c3db365e09f74c22ba00d92890e2184cdd554e

SHA512
9c6c88eba4fb28e67ba0f617cc40f16182c838c2de3ca38a243f97e8780e3e0e5dd60c40b9135e77ce02b3ead0bf296ed7ca0128c54a3af4cbacfd987d93919e

Download Submit
memory/6072-572-0x000001E6F4420000-0x000001E6F4438000-memory.dmp

Filesize
96KB

Download
memory/6076-569-0x0000019F779F0000-0x0000019F77BB2000-memory.dmp

Filesize
1.8MB

Download
memory/6076-570-0x0000019F781F0000-0x0000019F78718000-memory.dmp

Filesize
5.2MB

Download
memory/6076-568-0x0000019F5D2A0000-0x0000019F5D2B8000-memory.dmp

Filesize
96KB

Download
memory/6120-417-0x0000000009450000-0x0000000009572000-memory.dmp

Filesize
1.1MB

Download
memory/6120-414-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/6120-413-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/6120-412-0x0000000005BB0000-0x0000000006156000-memory.dmp

Filesize
5.6MB

Download
memory/6120-411-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download