discordrat | hxxps://mega[.]nz/file/bzACwQpY#fEW7LQ-AwrH4BDlJuU3zXK1c_3_jwRmcsdfCz7u8Eio

Resubmissions

24-01-2025 04:40

250124-faj3daznfz 10

24-01-2025 02:58

250124-dgltfaxneq 10

Analysis

max time kernel
456s
max time network
441s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-01-2025 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/bzACwQpY#fEW7LQ-AwrH4BDlJuU3zXK1c_3_jwRmcsdfCz7u8Eio

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMjE1MjQ1NzQzMzg0MTY4Ng.GegUda.sEXJI18X6s8vr3thxl2kB0kdlOYRbpk7RIjEqs
server_id
1332152349216735336

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
3956	Gorilla Tag Ban Mod -UNDETTECDED.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

flow	ioc
103	discord.com
104	discord.com
105	discord.com
17	discord.com
37	discord.com
73	discord.com
80	discord.com
96	discord.com
95	discord.com
99	discord.com
32	discord.com
36	discord.com
76	raw.githubusercontent.com
78	discord.com
86	discord.com
34	discord.com
77	discord.com
94	discord.com
98	discord.com
97	discord.com
17	raw.githubusercontent.com
35	raw.githubusercontent.com
74	discord.com
75	discord.com
79	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 771872.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3252	msedge.exe
3252	msedge.exe
560	msedge.exe
560	msedge.exe
3608	identity_helper.exe
3608	identity_helper.exe
3488	msedge.exe
3488	msedge.exe
984	msedge.exe
984	msedge.exe
984	msedge.exe
984	msedge.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
5080	Process not Found
3264	Process not Found
1252	Process not Found
3904	Process not Found
1936	Process not Found
3104	Process not Found
1348	Process not Found
1660	Process not Found
4624	Process not Found
1132	Process not Found
572	Process not Found
1196	Process not Found
3312	Process not Found
1520	Process not Found
5060	Process not Found
4996	Process not Found
3420	Process not Found
808	Process not Found
3036	Process not Found
2604	Process not Found
700	Process not Found
1144	Process not Found
4620	Process not Found
2248	Process not Found
3660	Process not Found
3260	Process not Found
740	Process not Found
2276	Process not Found
2396	Process not Found
5108	Process not Found
1532	Process not Found
608	Process not Found
3976	Process not Found
4540	Process not Found
5068	Process not Found
4628	Process not Found
4796	Process not Found
2544	Process not Found
2848	Process not Found
3032	Process not Found
4404	Process not Found
4520	Process not Found
660	Process not Found
388	Process not Found
1960	Process not Found
1356	Process not Found
2080	Process not Found
812	Process not Found
4212	Process not Found
1040	Process not Found
4808	Process not Found
4804	Process not Found
1724	Process not Found
4652	Process not Found
2672	Process not Found
2648	Process not Found
3080	Process not Found
2616	Process not Found
2284	Process not Found
4772	Process not Found
2460	Process not Found
1644	Process not Found
4156	Process not Found
3060	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2620	AUDIODG.EXE
Token: SeDebugPrivilege	3956	Gorilla Tag Ban Mod -UNDETTECDED.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3644	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 680	3252	msedge.exe	77
PID 3252 wrote to memory of 680	3252	msedge.exe	77
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 4776	3252	msedge.exe	78
PID 3252 wrote to memory of 3716	3252	msedge.exe	79
PID 3252 wrote to memory of 3716	3252	msedge.exe	79
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80
PID 3252 wrote to memory of 644	3252	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/bzACwQpY#fEW7LQ-AwrH4BDlJuU3zXK1c_3_jwRmcsdfCz7u8Eio
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe98123cb8,0x7ffe98123cc8,0x7ffe98123cd8
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /L
    3⤵
    PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17760702568558468082,8241111780567831781,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6720 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f5055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
796259b52fdbe6b0c82617736d8b5482

SHA1
cd98b66aca068d7fbb64e1027abc1a72458e98b8

SHA256
6e9a40f6c250ce2bdaa71e4436670b872d7ff2e8a96a8c797f8bc92769c6c1bc

SHA512
7f23ee1fd9d1e7f37f6e13426c581389409ad0cf739b47a26267f09ca16093fb396425a9d6398cc46d8dc74ec9073fdff328d4de41a84cfc01f7d9f1094fb36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3e113358077d447f4cb0caea7b7a8681

SHA1
5d5b0847c5cbbb2b6e12949fe483fa3c83b3d8b6

SHA256
be5c15b673756949b554aee022c24888b9f0509aedb495020ca9837994757d65

SHA512
3d7d70cc8b08d307fd63c7b5b333732405717d4a296124ca6a67f6c5c5b7d95437b66b0252defefb62bb00c409403450791cd232248f37e0aa0f09197d66d358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
bb64118a30509d45b9bd9ffe8b18ea01

SHA1
829d236cc9be6220686a26bf951a6bd445abe601

SHA256
3f48de81db18ba307b30fdc8c234ae57ec92d3114e1f81e0c6c66a96b883c588

SHA512
7f40dde8a01fad38fb300a4c5455919b60e95da52eda4dfbd0718d60737327251efff5c9d6713578892ed5b90fbe25ebc6949e6ab9e4b9a26a9de603a121c398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
73b971306e938d6db2d9ee10a2dc23b7

SHA1
437295fcdf74ab48c3002a8d10d67f956f6727d5

SHA256
44681bfadf8132f818fa27bcf2f8ceb419e8443d77f163e404a24af8207203b0

SHA512
7637d3e59ed4e8a74bd1254574cde7fa7d55766b3b7ab26c108c6f59c7995b9def897a2b5c22abb07b3c5509709a25f1047a418a01ff6e8a17033af8df916798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
43578dcce08c9455bcb3911946d7499d

SHA1
220aacf498908b1fe19dfb777c59ca225a77a6b0

SHA256
186a308a83a448f74443370329aa09064701e9b8d20667f2361b481d163117cc

SHA512
0e50ab30495a3bc23b569ed85bd880d4db875b453610a49f3db658fc2658c208266d98cdd1591f31f340b40bd433d0b05ea7e140dfc9736de787e32fe18a8fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
57bf3fd8eb55ad093ea93ce4bbc3d623

SHA1
869617529fea4f11898e5a67abd5ad6dd5482ff6

SHA256
297f2cf19c161dd16929bec30cf8cde3a4f4ae838b5b2130a1e678daf95463d3

SHA512
9255d5e2e501d8d82017e54ac914848fe92e98ba6dd6c460bf68964b2de9d1bdef04e8328979f945f1015d35efb48f304de7ec752fb2c084716a806f84a799e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0efa2c256b124a1728b6e902ec9813de

SHA1
3fbbdc0499b200b468fe781ca67560faa08e1c0a

SHA256
0121a4784165621b30b623423f73d25c48683df3c32bf6eddc1e08c1c712548c

SHA512
5c58036b62c2157e7d04b49de16369b91fe90f51c1a19d621db9d8a19f7b578193d991e959d5755f8ab32a7ee4c9c2b62bdd305f838359a65e1a72bda42947be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d85eb5fddcf2a5168992a6ea4662ae4

SHA1
65afa68427b12fb28aa41f413fe21e76c2adcd8e

SHA256
bf992a82b23607ea04088f475f654c9ebaf0fa8a32b00fd9312764b8d5de6c2d

SHA512
44fa88f06b19c6a7c6cb896a79f04733cf374accac9a9df8a399ffc27d6b154d47c01586e2f56c0c4145988afada9139ad9f3e6621c4b8cfe9e0d964c707b347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7961df3c65f48e99058b07fd6b2c053

SHA1
ff3b8f194665692d06a80ae84622068fa3ea75ef

SHA256
2b5bfeed45fd3bade4c77c4d51833fd10d257155443d0d26e37449704f252182

SHA512
186bb902b7949463e8ca0d38bd9ec61721887e9992b90c0612dc37925ca8504318c1207ee001ad345e2f3d377ecd588e0b091d65f43851e5169d88876c883c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8cb2739706340114df15ed789924cae7

SHA1
f47563f56e38f8f15954eeb29612a504069b923b

SHA256
32f554b5709a4a80a702d500ed50c36bc5e41ff15b4dbe4557a39a09105d9525

SHA512
52116af819b50e0673ab6e4742651812cfcdeb013310365f307a357e2b56a486359611eb10f6a05880c8859e05297afb7b8927e18995929186d7ee0e02821a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2606e22bc795c5bca7310318642a509d

SHA1
fd580f0674c396d488f219845a6c92eae7931709

SHA256
21a494f7af97c10111f8cac66578300b8d2d816dfe9030228f766058d897c18b

SHA512
92c37b25b629b622b4c59ea00dbc33b1ac3f2c0c204c1dab27bcdadc1c9bcb82efdd547c43987c6471ad158bbe1fbde9d111847d1d315e7f1e3c839000cc5058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
664b0b3865124a99419a397f78e84b92

SHA1
176e68c2498124076ce5219504144db9cd19c2f1

SHA256
a45f954a1cc3db592bf3d4e1ddc782c0901a4585dff0b0459eb0b882229da3a4

SHA512
817bc65a6c3d3cd768dd40b87f604f09bbc2fed0c17d973d80e39e364e25460d8a09e8feb02df9ea7610f2a9354a4731547bba0b7444754bb6cbf55396438da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0567d65824231151b28e874f24610fa9

SHA1
9a0e41c73a0d91ae62d7c19078e16c3147594ea0

SHA256
7d108f752ea6f092af2af847fa10bddc7223c647f7c7ddf4f177860c2974bf8f

SHA512
33dbee275b428322396f5711dd10bee67f39341ed4596976175b60589af4d1d7728597b039fc80165d6d40426e9ea33b8a59847fe77cb09efa9f4493122dda66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d59f.TMP

Filesize
48B

MD5
ca105a3067cb6bf0dd96a13bae2c0cc8

SHA1
02057bd23cb769da31b002213f6e888d558a9954

SHA256
586c9ac4904d85cc060390e92c2bb841207ebb016b504d8e590d58fe1efdcd3e

SHA512
c9bb90d774ae5d12424143c57c810c42eac71dcbf3635a462d4ad6cfd2cbc3f7df54bfd752d8ae4baaf409f6f99c7e095bf88a1d8451fb6191fcb422cbe558b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
54b916ea730546d7ae5c6dcab7be8c74

SHA1
95c98c7398257fa95b89ed989ab8ec9bc9d8334a

SHA256
6112b88e4e00d7a6647a5ccde2d6af80fb2adcec284bb1f27fd3f007eef4861f

SHA512
9dea5ffe78de12d28ca88d4ddea1dbb16902def46307fd9494fc0d52552791f3d9221328a666a81168344c3a1cbc40dbb8d11bc2b6495413b33b7579f8be96fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587c30.TMP

Filesize
203B

MD5
398cd378bb3c591d0e3ff35b909a8882

SHA1
45068d2673d62079c1fa5fd08499f255607fd453

SHA256
17ba8dc86f3c0ad6a2f1e2f3dd9f3098eab17b12e95326a75821e236eaa04ddd

SHA512
dece2e2a88d127f864480e517ee38404ad247b5c58639d9d1f57c8b021ca23ad8b361de73a13b07c80f7ecffed699d3b32379ae0f8b43deb53a7cdfcf3b14b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d05cae691893e8470bbdf40c702d4d1

SHA1
c9f6a394df58bf49424620748b5fbbfdce1395b9

SHA256
6c8ada68c0571dcb744607e2485a066888dd76cdd9fb0514977a64419acd69da

SHA512
e3691139f6ef49933825cf65a4c07970918891cdd9cf05aed6b2abf2d1d7b24b925a05f6169b3b7c18372bff21584ec30a254c4db4f8ee0420b750b5b4cedeb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eb04883dd725710240460b5151e481c4

SHA1
875bf969643c093381c309e4772d3bd1cc533a87

SHA256
e4864e52e1e8df0645f7a6e5d29f281086c6976950b0b1212600e15fe4c9ec79

SHA512
72b7572536e3b09b47b991bd7baf531632b332d7aaf22a2c7f88886cc6a23ca8cdd0375abbfa490eaf4b67548ee47a57d3ce142ce3c72b6bd94956d166539f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
586384182445033c67a619edcd690d97

SHA1
3e7768b30edc2bec3f4b3840cd0e40bbcca6744f

SHA256
3104034ca27b52007c1c97af8e5d1ce0b5296bf87da06b5a1147443347dfe29c

SHA512
8cd951d78d117999c904267c5a8f9ad6144a06af18752c0deb32012a445ec6d124f178e218ed2a0489bdc206f96130aa3e651328adaf0037725dd2fa52be8233

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\b0789f70-4ff7-4a26-b2a8-867cee433ab9.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_71164BEB3D504DB1BC07267B24350F7A.dat

Filesize
940B

MD5
dca013fcad6954c7ca0cf6fabf3bd9e0

SHA1
4f1c416ef6d6d71a1eca8c706de73beffb5329a7

SHA256
130781d4b8be5f709d1385bfca9b8ceabd66131600bee1913d275af121faeb69

SHA512
dd447ba24c2aa49d61b0bb8370f4d8ba8929f8be6613a9d3b0516e6b529030fec112d1e138f06357c5aa3a3913e98b383352ef5be38cf1a17d9622494961e7b7

Download Submit
C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe

Filesize
78KB

MD5
25de1708f6dddc1f577725ed54ac7ce3

SHA1
7988c6c41dbceb42fdbe14cfa4fc0b57d41e2355

SHA256
bd78b356899a5e06f27ef41237950a35ef0d8a10b1e21faeaa8bb14a4f8d71f9

SHA512
9076d2f0982c20da98889d828d75b29d58aa01ce06d8719a2485d90cd34d315052ee411a5c6713020cad417b270b9cba1df679c8bfe8ed82678efe2fdf4544e2

Download Submit
C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/3956-209-0x000002780D270000-0x000002780D288000-memory.dmp

Filesize
96KB

Download
memory/3956-260-0x0000027827970000-0x000002782797E000-memory.dmp

Filesize
56KB

Download
memory/3956-587-0x000002782A160000-0x000002782A20A000-memory.dmp

Filesize
680KB

Download
memory/3956-591-0x000002782A310000-0x000002782A386000-memory.dmp

Filesize
472KB

Download
memory/3956-592-0x00000278279C0000-0x00000278279D2000-memory.dmp

Filesize
72KB

Download
memory/3956-593-0x000002782A0F0000-0x000002782A10E000-memory.dmp

Filesize
120KB

Download
memory/3956-210-0x00000278279E0000-0x0000027827BA2000-memory.dmp

Filesize
1.8MB

Download
memory/3956-211-0x00000278280E0000-0x0000027828608000-memory.dmp

Filesize
5.2MB

Download