discordrat | 9c538454c0d5bc061140f31eb10784e7f525f865dcdaa4b66aa689c1a85543b8

Analysis

max time kernel
186s
max time network
187s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-02-2025 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built (1).exe
Size

78KB
MD5

c305efabf3779d300d766a4e2990f6cd
SHA1

febf6b16a6e3de42427fc0fbc2a1191acc66aaa8
SHA256

9c538454c0d5bc061140f31eb10784e7f525f865dcdaa4b66aa689c1a85543b8
SHA512

05653e94292a2aa95203857b6efb0cfe4d9562a6f94c8dce6d12063ad4e39021abc42fe5058b15a2906715b232388dca6e272f3336e915c70ded964454a850cc
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC

Score

10^/10

discordrat defense_evasion discovery persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwODUzODYxNDg0MTM0NDAyMQ.GYcOVt.Gp_DOcHBox7P0N-zNBTm49eq6NTvt_N2AxMvF8
server_id
1336013454258995351

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4948 created 636	4948	Client-built (1).exe	5

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
22	discord.com
15	discord.com
19	discord.com
21	discord.com
10	discord.com
14	discord.com
17	discord.com
71	discord.com
76	discord.com
1	raw.githubusercontent.com
7	discord.com
8	discord.com
12	raw.githubusercontent.com
67	raw.githubusercontent.com
69	discord.com
1	discord.com
3	discord.com
5	discord.com
13	discord.com
18	discord.com
68	discord.com
72	discord.com
75	discord.com
6	discord.com
9	discord.com
11	discord.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Diagnostic.log	lsass.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\7b291ad0-aeff-4d2d-99c7-694ed20fc91d	lsass.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred	lsass.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA4A7.tmp.png"	Client-built (1).exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 1496	4948	Client-built (1).exe	77

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3587106988-279496464-3440778474-1000\02dhltgnxszdqxtc\AppIdList	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3587106988-279496464-3440778474-1000\02fjlbqrsxgybqjo\DeviceId = "<Data><User username=\"02FJLBQRSXGYBQJO\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02btjamfcqlfmnqy\Provision Monday, February 03, 2025 17:11:18 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0Bope/+uLU2Zx2lO0g/JHQAAAAACAAAAAAAQZgAAAAEAACAAAAAJQYwo+ZHHQiilkv2RKL/qrztFTUyr02ojCnfOMpSZTwAAAAAOgAAAAAIAACAAAAB6UovW/cGKjTVRhPbkS0ug7mZazRk17Er/tLrW6DO0DSAAAADL6ZHLWWXz6am4kWXW3LkPDgHaNHWNQ8i7DEd8i3cGl0AAAAAOX2zKppWBM93hD6op+IYCQjv/TqCmO6MBAuY9D4UEWGyRXrNFEHsvHKjcW8DlFurAWZmyBmJNYrE/lRbA1KPZ"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3587106988-279496464-3440778474-1000\02dhltgnxszdqxtc\Reason = "2147780641"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3587106988-279496464-3440778474-1000\02fjlbqrsxgybqjo\DeviceId = "<Data><User username=\"02FJLBQRSXGYBQJO\"><HardwareInfo BoundTime=\"1738602681\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02btjamfcqlfmnqy\DeviceId = "<Data LastUpdatedTime=\"1738602679\"><User username=\"02BTJAMFCQLFMNQY\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02btjamfcqlfmnqy"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02btjamfcqlfmnqy\DeviceId = "<Data LastUpdatedTime=\"1738602679\"><User username=\"02BTJAMFCQLFMNQY\"><HardwareInfo BoundTime=\"1738602679\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3587106988-279496464-3440778474-1000\02fjlbqrsxgybqjo\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Feb 2025 17:10:30 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1738602679%26hashalg%3DSHA256%26bver%3D40%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C524_SN1.0.D.CodGgOttVuANwsps1I6p61uj2UiEdxHkG3fF1NnSyISpzf75eskioXYAk4A7Ppu6CfxIWQrjuqdKLzKb02XFoFQpioz7Mi%252Bi4uOJnkx52eBSRU0eMN29O8J3sj3MIBjBlf6/zATTfwDoUCIJAB8WaBLj1%252Bw4/U4Rhmvru1gMUTwk4ArM%252B6F%252BQCCPQK9tHumlsf5%252B5O7OxVGUMEiXS/DIH3a3i0SiC3rngdSr6MXK1nsB2C0S19hf4VTab2W6%252Bphn6nfcg39PFziBsSopvvCt7WBolUHcKfGfNoU6enKk8wAzwNyBualfKfHa4pEJKHYcX%252B%252Bv2r7%252BEI5vIEebd00X%252BXOJM8GMLUMwyvW27IGxb7JEJ/EHMMZPlAZKKNckY90zhaZfWKwBMjJQTh2BdgWTqlWs69%252Byw87AL4m%252BqFrlEIlIFJmO2GxGugSkuZgwg0o82/u6RatjR5OJ%252BtKAbzVvPc27iC6Unqz89VC%252B86x10ntPbXK8MQtzUhC8a/3VsiegEeL5%252BNEHgLFQRFfaCcljcfo%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3DoG4QwRHkoMkh8t9poqM4E9S0p3OKaFta%26hash%3DG2PQmk%252FoQfo51c4cpA32oyHIw%252BFEVzZXzUSaZaaG4V0%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02btjamfcqlfmnqy\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\WnfLastTimeStamps\WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE = "1738602669"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Flags = "8256"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1738602629"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02btjamfcqlfmnqy	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={653E096B-9E4D-47F6-B577-E2111D84F0A8}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02btjamfcqlfmnqy\DeviceId = "<Data LastUpdatedTime=\"1738602679\"><User username=\"02BTJAMFCQLFMNQY\"><HardwareInfo BoundTime=\"1738602680\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02dhltgnxszdqxtc\Request Monday, February 03, 2025 17:11:19 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA9BAjoTlibEKvTNlFfGhUwAAAAAACAAAAAAAQZgAAAAEAACAAAABoHJx3SO8ePMkRL1WtTfzfSxoeWy7aB7tKJj0XXkrLDgAAAAAOgAAAAAIAACAAAAA36jFzYA1sV6DOEOYN2UPgk9vWaDJxkrf3DONCm4xjGlASAAAwvSjMsh3ONyEWf9gWbRlsuJXZpdmVUGH58h4b5my1kxGjhG3c1AmQ5Fgoyyh4v+JEIy8+bW1fMOq2BbHUYFlnBZMHWDQmNMh/4ggz2Z2OP61pQhm+p6bJE93EeFXvuoBJiNZOl7gFA0fISJI6NcOiMGvCjGUELUBGa8OzQ3RVZJwooInV9as9w6Y8P5jhELZMWlIpQvwWidMfi7R0EP+jg5bQHjQZVwHM76fJ9dHHRorl71M5pcy/ZUumvTtmy46VkR4dTqYpZZ+Q8p2bHOzVlBSfSUPg9wpKAhvqZFOK29fmLxOC8SiMcWdDXfs8txKawCibS2M6SS/E7mcHm0tiSmryXGXbrqruzOXsjhCqX2KvONECYWBIsZex5v30kMkLX2gfoXGoPlrWwNl82T1AkksZG82dz7XC2QPyA6CCw+XOvqIkVYM9ml4LSNgM+62s10DiH1TndeWjGaQipawGTIAuH3utVwHKPa1IAsOVU5eUai9xPHhdZnJ/nW75JYcjz3RGr8YPlSNEeIvKtO5GqgQNU+NnSehhFVlT8yf0jXETyuAidOtVVMWLssPu5kRuQ7y2iB8Vwz82u5OLFD2SJQqhF9Qg4rI6HDrs3PaJW29IOm6A31NWIp8l1XE5PxsLmSQxd2s/1utD65PJSjStN5+HWeuJgIT9A6XZsrpaHKVJ9mgJS27Qbee0C/YQpKdDECsLP0DF6lfulAfsnp5RrVEg5pV7DgNhbITtLRVb72xTd32zBDFkCnfXXeCf/3JV8pzYxHiiYu68SclCIdGm1uXOBAZ38qjr86dviSWQa+/grAMcBUjFyp8gI1/QF07G7JBjns9aqyYOn/qKWsIdfgVA8sJBrsHFohMiXruzjUOUv3H3bDWjaLLpsbVmgNFc2BMC/krdOCc61Ka2Wef7CtqB3CqM8K6v1gDkuQolhPyRvUtIV5g3af1Gsx6Tj/dfoWRVJTPVFak2CkctuEkE+PuYmohkU6KZPrPFe1s90ugF2n1KqJJt+FPTvWJt9WZVur0ORF7loAAH+rV9cXK6gsFt1CLTbQQSgNf7yeREwgpHH2ji/6KncKhv4grR/YTkNU2D4rHHv2HRvgbSR5Ygq0YtpOjj9GCsjKliU53iWFO1diaU3NJzDTPp4WuX346TJedht0uyqZFQFeMjKRnVdEicgGn2O7jbFY8s55OUYpQUfEXFCx/esQQOzZJU4f4Yzzq6+FRhQLuvCOfz6ECQ3pBRFhPEAAkNgjKWHFRU4Ymv80mEaUjz7P9vqyk8I4htyvWMiQGk1ApQowgxbxc2QLD5800P6w6E5RuSOeEdMnP4auUxtA+tiUX7yKogj9xsJXCeR/SpLxAZs2Agu0cFgGbGijr+Aq88BgX0ooMlipDLgMs2s4+duYjREQb+IN8OVO0uPFZdSXJsUJg9KfnKcbsY+91vVV1iwQl63mHdaJ4R2pkOd5j0wBqm0OWt19lhLTIsCLqNGlWht4tgkCej5pR6w4bPhogJ99efjiZ2aBKXs6KVbF/M3GN3/XtpsI1wM0pxSUpsaerdeJETBGSUz64FwVJXXbKr5QMQDRP40Vnq2nA5EzObpmfG1yVC9QZLdLR+e88sEW4Az/nONzYTikzbl5eVK4KnvzDwjFMzHYRLxbNfbq8VXU310qB5NZu911QWYToBKvjVpUTrVqG5TIrXQdRN0Y2kZ8P4+h7OKub+/5BA6+sIX+77hKM3Hj6Y4r7NiIm70p8sBuoAHXl+JIuSyPXwYIyVHLa/KFS3dvvZSWkgT7agea6yWWe9cQ3MmrBfje1Z5/1AEDd6wjpMH1kkXTu62s6vJp4gBGYOkIU/2N3RyWQ19Rx8F8VGbzD4fasx3ILb5kN7HMXwS8AnaOckQ+AvkQ/5XASXJ28mKCzyhfWYVlrYg/Rh+K0FKh3xDzQct6PcZLug/vWuMbPWW7Da1KKh2H3HAZasezHsSPJGsEVYXi0yVIyHO8QL+k+JWBmAmTPzveIX1rf4jFr1WtnpTzC6zFndVZ5NzY9P9mM4VZ6U5YYgf0mD5KawFvBhvA+b/M0jw6x+ff69DKnEjwGJt7CnmhPhvSs9omXG986ElDzxZekoDRSXV+2S1WPXC0W8V2DrZSe9MTQmsukw3cU/kVO/f2/Pw0fDTFhSj+irra9o0W68QzrkAm9ij7ZQloNGoYia8o+oqOQ/9rJf2fIZpZZ3XCqNQIeLa/5UT50bUx/RCGSduE+EG5vCNOCb/qwYKBkMz2jFWOCslU4GGUMI2CeFvRxKt6XZSytlCJ3EWFW4ENYgVaaqLgfFJ4Smy/kw+dmeMhbCtxWZvPs8WCNzu28jL0fbYzYESsWgnL24zNzSW9xvXW4dqGsV/eMOP5PX+zpDaBmt1Rt9mBOQXjv76WFTCRQkjI5QAMwrR2ty6WYbJoYDIQNxBboMcJzFssvX66eNeVdzG/SD3+essqjxuPFq3tCxpguemnSgWuR9utm99SZxcGtAPIgVTmTnN4w4Vp3pSIzgm3gV1ReM4QEsg6UeeISiC0e+xRieu3n55iROkouGeNwNveRfw41HRssSlS1zrzNwXUni2tOcuKNAy9nQR0G0i80mzYz5leqx/aeY7cse9H+MJA/vGhRxO65bFthnHTMs497Q15hUe/YyHbG6gZLGYjdbJWTkHXbE1H642NIIY0mhUH1IOPEm0kupqI6R29e3RecunWkmiHpflpOs1laCzXJtuTVZ+KR5ruzhHgY/C9lIEqNF807BZ6NcyTS2dBwohzY9D0v70IOJeYha3tgxJ1ABHHrqMev798QsBFGhCcVmsoKgDp0seGWmG/N1RtzRKeMRu3y6wrqdhUG9OX9AF5K9huXF5ItdlDy2CdSzaEkVzkabZMLT9hIKJF687SVKFKsZmrKcImcrGzeYbGc6BwP3iC7j2r/qJqhmH4+EOBFgyGVaCClWiGtivxM2jNgC/8b+Pttk+j6jolgVrVgwj2y32O+tqUuYFbYsKeneIZLzLW7HvFLmZ5NkJn7Od/aMrjlNfFlRFWr3Eob/ahBiYXucdWvhghqDRIDSAd9apAZHO4XHsf77JfIqCPRaOim2ExGBlUm1EUCtxhEVN5vni4J9LiJI3JQjZ1X9pP8hc+1mI14xFXpcVXFRBlBtKASoWB7qVHtYAwGsA7KnMJ8hKwUYMLQuzKL5EAn5Ot1pGNHFNXxAHbrgrMmydib5+qx1Af3ATmVRh2cEIPZmREzKdcDN8cWBGBf8JQLNVMSIQnJZH2n+jAba6Aulaq+G4rjnOcwcu+SXW6kaZq/4xT+Db3xgofOVZp78EQv/c93eTCPyxSAcQOIPmcvtW8PjhIa+eCgAdtYHsrekvPAJYRGhGoAI5WEHtRZkCSDgY0jGnQILBy97RUyGSfxoOBRB6GMBM3pDIw6FaMuzlZLlR7WS+A1Qm2GWsHKkswO2riSzMSzQXOj747OluX6c975xrNwU60iCQI2N8GMJFH0BAUQDaSo5UdTv5MeoOZtx2Vt/ap+xEWVlWElsI8ehrg0hQnAo6t7g5mwOiRpVD2K/0rGfFnW2lePtEhMl6gNcYTtTRYFOxYpX8r0QD6rFOJUfhImfOQx3m5fENWQKSGItl+mqfgozS4akzAsDnS87mFl2+e61NH+IqlIRmW9/txDpOGi4slSyL+m5jNa+0YGd1XBcnTA6QNmxWwhEvGpC/j4ELd92BoBYjDHfa9FR/Gytv2OEFgGI2HDdqITvMQUVDoPhnFwsm2MqYK3JhwfquU7/cOOIZXwA8oQhDpnPH4oqepj6hluhW90Cwb0pjjMf+CrmWFb8jE6pzpTxP8UzqmbnAf1y4lNS9RgI1uLH1zdq1x6qN2vR6VY6zg+kx6PG+oLe3RRgHmns0VVcDTDcD1lVZvjB/NVKXCAC7SM3muO2ant+TxBYVRtwYilmshy3mS7yM+LxcCYFXlmfCVxL1afr643ctnUTAmma3dfIYS3j58ItOeBDAUYZAYP84UAKD0kMJVu3drBQ/80deFpCXF+nxmISwSAektHkJdkuxB/x0XMfk+DZ2Gl4vhWGHBB9etSWpGLU3qxyoPuI0t3j8wKuKYhGZCib5Q9LsyVwl0ja2cz8XXaXFr+ND3zJbsR93w5WGA/NL9DhjPSZNdoDHPXnMMtvfB49dgrDKorRLRbFhomNUa10PurUCUsh3PCi36U7f5d05pt7Dx/W6fzY6ZRaLq50ISMCrKIp4E0OFLd0oI9ZVEYXogTFN4cdKxJ3blcc/VhuR/OONNU7IjzoloYKuxrO4ufyRAFQkdd9/Bpt/juIhWw1aZuBWs9a9iruou77QoWMu3Te7TNrKE7Qx+T8yDeyJV2EkN1sJQ1TK4gEt35W8sp7g4cjxPb8E/rdw6wrKAaMAwzo/zWWCr8lSL6/udgYqNZDz5esLLBQMTc9KJ6n6pUFd6NOIQAyxO+Zw9uwfTRQBhiiuR4gfGH1GLerjU9oCpml4p67CiInAAvCO72g+MIaeb067qjafds6LPLiZsebVdF9d7ul/sLiSQx7MVx1F6MAa21CTaTaBzy7u9VPknpZ0uBUij2N5dJ3xfclgEuYwE7iEGbKkhGDQO5xnK3sZh8no/qFEN96K3umgC2BrbnPuUN2o72ldIYK5ZoAyJr9qmQXNITSq/YYtfimMpcu7HAzFeg6rIxdhe4iS1oyKTEjneZ47b3em5KTqnaCik2mGwGKZWdov9Gn/5F/W4P8za2Vr7Ya+OqQHGgq6BhWfnxZ7wxOa/5tc6f0MG0qXrYsYrbWpBO6zb0cR6EH0gL63wndP3a/Kf23RO60ignplUWivNW6HZGBcLLXwQnX0xjd8+QoeIpsflXxg/JoeD0+qhQIspQSOGrWo8VIZsieCZMc2b2n2L/Ibn3mIpV+S33IdE8gmomP80Esxlx92Gd/WLizFp/3JVjbRBV6MPOs5Uhce3mjEem2+6Xcr+FuZK9e8/4a3X5twYZkVzs1GJk/KKR3dFvTMSEkeXDoaYYctiWovvXM8q6AyYECCX5nUsgvbsNpf22q9sVYBU0h/iqKWf5pGV68uAImLx10ORKBp6jJQBuqLmb8mWXV6H+SXEjrkHRjGhH6hVL5NkS1VrtqBQyQI0X92GNqLp8NdtfAW+c1MFpPCzv/8JbjVv3QAKO9H7XzGYo+nvTPCRFlTtSZwiko+eI0A0axWbbQNf03LRpAswWceBoSuugL1/Q2YHUxUb2XY7R0NVIWA9zJsisrcrWAJMOC0nS4k/6ZaJzBXZpJp4TxcCdrHC4b/hKCGw2RWjstWdrNMvShhPyalHxtwxZZCCh72AP3FzKlBlEvfpUSh/n8ZzdWkQTt+/wBQajs1WOHm6LtJlydDtMm8Ux97vfRb5iX4NN1HIZw6o/00wXMewRHsOBWp+/rBGiLujmpn4MMpHfgVT2Ec1ewHMs8anWIxzNGTjZ2efui8HSaZ8cE+mM+N3w6eo9OlDPDyg6Jqnafyvhf1dOJu69hVuttLUOXOtQ8SfM4+ONWwvEQuS8lze5hVPuMUS9VrLPpoxiD7n6+RjJPVLhRSd+pfWo10+2IHiAsaUQ0VIdgoXvqWD6dDIRU8qSyI4b5NlCM2dqJI1hTH+TGg372D7uqhaYUzW6TOI6kzX1XQ0SmjRELFCuozGnfl88CSDulb1hLUxHLFsunkcLaHN5uEuvmf5f/IpsOnwg0Cizvr/R/qVBpOGaQjehNcoe1BGwlxLBgo3aQYeLc3U23Ufqwzmkn5axj8b1cFUIZQG5M5vvMqRrhPVGmnyrO0ilJ1N3BUVGKsjk1AYdBBGAABsYScOpXezdZhGzHeZN7WfM3pMVB0o5vYGb0wu3QMSBrWm0UgwOmqh+oN8jEtf/7Cm34s4o7+I+Z/GrHLA/HgzFbyokhpxEg6yRSB9+op5nEY2mo4VIyhwxYp+a+trdQxWHsosk3vzK/+4M8mTNGDYTv2rVrMQPqVjbpXWbZmL6TnP/qzt2Bhx6084oUP7V14DCSe8phdS70cFkcKHZ4Hd4uHBpltXKDwMlfyDBCcOPy6r7Kn7FjPZLgrqMNtah843mrP2zaa9EfeuWgg1KUIyIqKcp91wPnW+LxTKBn6DJuTv4gilrvCAQMsxO66COWbsHKLQCkJvlAusyyfyEuaDgassSXF3B6ih+mpIL1jmYY23Ia1kl0y/8bFCh6lB8fZFq6ovbg0dWxWSDVXdNvAPVyElWwNEqBOWFBAyzZNellGYBfksC6xnILxNRnd0AAAAASVPC+Ci8BtTJPCzmWpWIUsuvRB2P7w+9/zpFml/vVSo4Jdh4VG/bMgeZBzYjov1xTEXvP6NtXQpX/YgcKblLt"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02btjamfcqlfmnqy	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	Client-built (1).exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
4948	Client-built (1).exe
4948	Client-built (1).exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
4948	Client-built (1).exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
4948	Client-built (1).exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
4948	Client-built (1).exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
4948	Client-built (1).exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe
1496	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3320	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	Client-built (1).exe
Token: SeDebugPrivilege	4948	Client-built (1).exe
Token: SeDebugPrivilege	1496	dllhost.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeAuditPrivilege	2560	svchost.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeAuditPrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	480	dwm.exe
Token: SeCreatePagefilePrivilege	480	dwm.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4948	Client-built (1).exe
4948	Client-built (1).exe
4948	Client-built (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 4948 wrote to memory of 1496	4948	Client-built (1).exe	77
PID 1496 wrote to memory of 636	1496	dllhost.exe	5
PID 1496 wrote to memory of 692	1496	dllhost.exe	7
PID 1496 wrote to memory of 996	1496	dllhost.exe	12
PID 1496 wrote to memory of 480	1496	dllhost.exe	13
PID 1496 wrote to memory of 716	1496	dllhost.exe	14
PID 1496 wrote to memory of 680	1496	dllhost.exe	15
PID 1496 wrote to memory of 1076	1496	dllhost.exe	16
PID 1496 wrote to memory of 1084	1496	dllhost.exe	17
PID 1496 wrote to memory of 1228	1496	dllhost.exe	19
PID 1496 wrote to memory of 1244	1496	dllhost.exe	20
PID 1496 wrote to memory of 1292	1496	dllhost.exe	21
PID 1496 wrote to memory of 1328	1496	dllhost.exe	22
PID 1496 wrote to memory of 1344	1496	dllhost.exe	23
PID 1496 wrote to memory of 1432	1496	dllhost.exe	24
PID 1496 wrote to memory of 1440	1496	dllhost.exe	25
PID 1496 wrote to memory of 1452	1496	dllhost.exe	26
PID 1496 wrote to memory of 1500	1496	dllhost.exe	27
PID 1496 wrote to memory of 1736	1496	dllhost.exe	28
PID 1496 wrote to memory of 1744	1496	dllhost.exe	29
PID 1496 wrote to memory of 1788	1496	dllhost.exe	30
PID 1496 wrote to memory of 1864	1496	dllhost.exe	31
PID 1496 wrote to memory of 1952	1496	dllhost.exe	32
PID 1496 wrote to memory of 2028	1496	dllhost.exe	33
PID 1496 wrote to memory of 2040	1496	dllhost.exe	34
PID 1496 wrote to memory of 1988	1496	dllhost.exe	35
PID 1496 wrote to memory of 2060	1496	dllhost.exe	36
PID 1496 wrote to memory of 2172	1496	dllhost.exe	37
PID 1496 wrote to memory of 2288	1496	dllhost.exe	39
PID 1496 wrote to memory of 2392	1496	dllhost.exe	40
PID 1496 wrote to memory of 2400	1496	dllhost.exe	41
PID 1496 wrote to memory of 2428	1496	dllhost.exe	42
PID 1496 wrote to memory of 2496	1496	dllhost.exe	43
PID 1496 wrote to memory of 2540	1496	dllhost.exe	44
PID 1496 wrote to memory of 2560	1496	dllhost.exe	45
PID 1496 wrote to memory of 2568	1496	dllhost.exe	46
PID 1496 wrote to memory of 2600	1496	dllhost.exe	47
PID 1496 wrote to memory of 2608	1496	dllhost.exe	48
PID 1496 wrote to memory of 1832	1496	dllhost.exe	49
PID 1496 wrote to memory of 2696	1496	dllhost.exe	50
PID 1496 wrote to memory of 432	1496	dllhost.exe	51
PID 1496 wrote to memory of 3320	1496	dllhost.exe	52
PID 1496 wrote to memory of 3448	1496	dllhost.exe	53
PID 1496 wrote to memory of 3504	1496	dllhost.exe	54
PID 1496 wrote to memory of 3896	1496	dllhost.exe	57
PID 1496 wrote to memory of 3968	1496	dllhost.exe	58
PID 1496 wrote to memory of 4020	1496	dllhost.exe	59
PID 1496 wrote to memory of 4084	1496	dllhost.exe	60
PID 1496 wrote to memory of 4276	1496	dllhost.exe	61
PID 1496 wrote to memory of 4528	1496	dllhost.exe	62
PID 1496 wrote to memory of 1844	1496	dllhost.exe	65
PID 1496 wrote to memory of 2320	1496	dllhost.exe	66
PID 1496 wrote to memory of 2744	1496	dllhost.exe	68
PID 1496 wrote to memory of 1488	1496	dllhost.exe	69

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5eca8797-f6ac-415c-b236-91d6bb02d785}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1500
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2060

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2496

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3320
- C:\Users\Admin\AppData\Local\Temp\Client-built (1).exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built (1).exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Sets desktop wallpaper using registry
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff89dab3cb8,0x7ff89dab3cc8,0x7ff89dab3cd8
      4⤵
      PID:440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
      4⤵
      PID:2336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 /prefetch:3
      4⤵
      PID:564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2344 /prefetch:8
      4⤵
      PID:1304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:4240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      PID:1808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
      4⤵
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
      4⤵
      PID:464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
      4⤵
      PID:3232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
      4⤵
      PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
      4⤵
      PID:952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,12359139689158892886,6645928379459829562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:4704
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C sudo rm -rf/
    3⤵
    PID:3232
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2744

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1488

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3180

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
77b20b5cd41bc6bb475cca3f91ae6e3c

SHA1
9e98ace72bd2ab931341427a856ef4cea6faf806

SHA256
5511a9b9f9144ed7bde4ccb074733b7c564d918d2a8b10d391afc6be5b3b1509

SHA512
3537da5e7f3aba3dafe6a86e9511aba20b7a3d34f30aea6cc11feef7768bd63c0c85679c49e99c3291bd1b552ded2c6973b6c2f7f6d731bcfacecab218e72fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
5cfe47601974ba0d5f931d93fb6cda60

SHA1
12a649e6a68384a69509eaaa842b42cb17a48e9c

SHA256
f5a330f61d9bbf8eb001b23e80598ea1adbd216d7777f28d9d47eeef73dfe5bc

SHA512
93286f9201f4bf8a76922719604717ab219ae73ea12785e115b53fdc97d8c782f3841c088907035061606c1cf1b39531c1bd1295d98d8d946fb7f50b17757052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
aeb14a460507cb74e838c8bc36ef421c

SHA1
3ddc985fa7f84645721fe5b77fc2d678ca31d016

SHA256
3943f41eaf3aa59c4c51f2dc451a2af3029145fc4c3e0e988391cc1cc2024325

SHA512
252526f6f9a70e510ec3fd77ec15e09af3ef8fd115f737775544ff1b812ffbda9958ef8cef1d4de164a4682caa5c221ecf0916f0ba6a04c2a2baf207982477f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
2e94316a58c3d52f3770147640b1e9db

SHA1
6cca8f3354a81660b888c70b71b4304f81d22eea

SHA256
5029947a76f8686f465a4c99fb4c6beab574bfadc7a8cf3b9ca0d9cb119ec0b4

SHA512
a321dbe8968454eb71d382d254234c2a2d2722e67f5653cf7f86d5861d994e4fe5c33e49e5915c108730021c5e3d284bbd9076a9c203d8ee0e06be6a9767322c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07ee01a54b2412adb61e8b28794db705

SHA1
ac415497252acb8addc5ec27aca78cd35b0f24b1

SHA256
671b78221e446abfa4adb8eecc4efec1e8e1918ccf306c1d0fbf56bf664ecf46

SHA512
72c0e967d656b365e0f60831126d2954b2e0abacbc4064928d4863ea933ce9cec545aa6c91464bacc3e4e62b692af25277d7f590a74ea7ebde96465976c1a2ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cae242083ce5c59cf599617d4d5c5c3e

SHA1
2bd5e7d28cd0632511b4843125b086421b271caf

SHA256
3c79f76c8127e4d4158798ef3f2211d4766393de2976c8269e0ce637de62faff

SHA512
5a64a9ceb63df66e480af132d0cc0fc622ac42f05ef265d74b9eae431cdd85f297ae5c568c9fd710536a1607476c7494f7a2030feda62d1eef8688472e736617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
0ba53f651f57b62da5956d50c97a38cc

SHA1
71babb40d9ef3a6a12580e2e6813c64c58fda578

SHA256
e8005c89662d2a36c40fb4737cac59fb32bdb9319f639f3da408f8ee40589cb1

SHA512
8ef8047baf765ca5a314e684d56e686a440e2d5af66a64f311a1683b1562d24da145a675f7a639cf6d1552f1d98ce557a8cc7b798e697a26da094cf74c4293ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59f488.TMP

Filesize
48B

MD5
c0fa405816c9431c01db27060c5c74c6

SHA1
cb5dc9ade30da34874bad40028ce404f6bb231ac

SHA256
e40f1fd15844a2fcbabe59fa103d747a07310d5f7d35cbe62bd159bcf15d1c09

SHA512
a64926f53505684df5f823c2d6b3ef1ba33e73d25d6a2c8bc80e8827239312e71b037220e6423e279c5a2f1fd86667eb316e819eec61c9a4cc50addc1793d5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
13ec173558148f0c37b7d46aad123735

SHA1
a008b59850538f6ce6a9384c2f70cd3fc1563f43

SHA256
c97fe267e4ea5e897a17e66806ad603a8d8b82967c1c73bfc24ea1bd7616b5a9

SHA512
bf7a1bbe289902a3bdd9030ed5cbaf69bbfe17000f7fc80cbdda5d7e7a32c202de8112692d838a28c459fc0858be54f637d324207825d3b11150f98c1c161f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4A7.tmp.png

Filesize
8KB

MD5
771088481c5015f812913eda4cdb6217

SHA1
c74f400b81f7cad80ee77a1a0509aee4c8e86424

SHA256
fc92e580ca07c788ced70ff57f2c8d5bbbaeb02ecc5c3b6a77378c4be2d07f6d

SHA512
5bb52cb579bee53dea93af6d86f264a1b578a8a8ade71b6be700d65bc8412971372989ce7e4e80f9817ec5698cc3748aae90c459fbb7d8432a42fe6dd3922066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3587106988-279496464-3440778474-1000\Preferred

Filesize
24B

MD5
5729f09cd074d59d775fdf2c889df6f4

SHA1
deddd79ce8f5269e97aea11f8819c01dbc46598a

SHA256
81c14ff399f4164a5d6fb0809fa506131827b63b749370037ee97f3926fef92e

SHA512
5b13e92e5df050f04668613740c471a8c673980e60bf0d25f76ab93acb4e780b75153c2e817a5d7842a5a47e2a235e5e65ffe5212de90d4fa94f519ee457b74f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
105KB

MD5
48bc72e5572d39d1d6695a93dd710e75

SHA1
01e0aba68465932dec70206c230516ac971f4a78

SHA256
f439c862dcd25e18f5a9d9cb74d2dfad4fdf1f6ee9b758fc3e74cc4aa4eee104

SHA512
047bfa09135b5b3e20e05562561be650e01f5f682326438c69350bce563d7a73c9d0360a02db91f05ee6dac9637933b0fdb74958e215012f42f6e838d832b179

Download Submit
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Filesize
24B

MD5
013c46d3729b0afc50ed4ca200c93308

SHA1
77c153c5c142578a0e54958f661c89bc501ce983

SHA256
2c938e84535fa2059bcc1ef6e374c2fcaf1c512de29380dd9dbcb2028c2a5681

SHA512
a209903d3b4a9312b947973d23c481c0e36c1d249207d4fd6c3ba8e759b0073676763c2a82dda9fe35b562120bfd9ff941116797ea2cde578432dddf5f2854bc

Download Submit
memory/480-35-0x0000029DAF480000-0x0000029DAF4AA000-memory.dmp

Filesize
168KB

Download
memory/480-41-0x0000029DAF480000-0x0000029DAF4AA000-memory.dmp

Filesize
168KB

Download
memory/480-36-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/636-29-0x00000246E7CA0000-0x00000246E7CC3000-memory.dmp

Filesize
140KB

Download
memory/636-21-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/636-20-0x00000246E7CD0000-0x00000246E7CFA000-memory.dmp

Filesize
168KB

Download
memory/636-30-0x00000246E7CD0000-0x00000246E7CFA000-memory.dmp

Filesize
168KB

Download
memory/636-31-0x00007FF8A4684000-0x00007FF8A4685000-memory.dmp

Filesize
4KB

Download
memory/680-273-0x000001CA40370000-0x000001CA4039A000-memory.dmp

Filesize
168KB

Download
memory/680-52-0x000001CA40370000-0x000001CA4039A000-memory.dmp

Filesize
168KB

Download
memory/680-50-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/680-49-0x000001CA40370000-0x000001CA4039A000-memory.dmp

Filesize
168KB

Download
memory/692-24-0x0000024B57730000-0x0000024B5775A000-memory.dmp

Filesize
168KB

Download
memory/692-25-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/692-32-0x0000024B57730000-0x0000024B5775A000-memory.dmp

Filesize
168KB

Download
memory/716-272-0x0000024408DB0000-0x0000024408DDA000-memory.dmp

Filesize
168KB

Download
memory/716-47-0x0000024408DB0000-0x0000024408DDA000-memory.dmp

Filesize
168KB

Download
memory/716-44-0x0000024408DB0000-0x0000024408DDA000-memory.dmp

Filesize
168KB

Download
memory/716-45-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/996-42-0x0000021549140000-0x000002154916A000-memory.dmp

Filesize
168KB

Download
memory/996-38-0x0000021549140000-0x000002154916A000-memory.dmp

Filesize
168KB

Download
memory/996-271-0x0000021549140000-0x000002154916A000-memory.dmp

Filesize
168KB

Download
memory/996-39-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1076-62-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1076-61-0x000001A801890000-0x000001A8018BA000-memory.dmp

Filesize
168KB

Download
memory/1084-64-0x000002D610EC0000-0x000002D610EEA000-memory.dmp

Filesize
168KB

Download
memory/1084-65-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1228-67-0x000002D176190000-0x000002D1761BA000-memory.dmp

Filesize
168KB

Download
memory/1228-68-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1244-71-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1244-70-0x00000191AE970000-0x00000191AE99A000-memory.dmp

Filesize
168KB

Download
memory/1292-74-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1292-73-0x000002D88B550000-0x000002D88B57A000-memory.dmp

Filesize
168KB

Download
memory/1328-76-0x000001D053F10000-0x000001D053F3A000-memory.dmp

Filesize
168KB

Download
memory/1328-77-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1344-79-0x000001E1F4C60000-0x000001E1F4C8A000-memory.dmp

Filesize
168KB

Download
memory/1344-80-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1432-82-0x00000278D1670000-0x00000278D169A000-memory.dmp

Filesize
168KB

Download
memory/1432-83-0x00007FF864670000-0x00007FF864680000-memory.dmp

Filesize
64KB

Download
memory/1496-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1496-15-0x00007FF8A3180000-0x00007FF8A323D000-memory.dmp

Filesize
756KB

Download
memory/1496-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1496-14-0x00007FF8A45E0000-0x00007FF8A47E9000-memory.dmp

Filesize
2.0MB

Download
memory/1496-270-0x00007FF8A45E0000-0x00007FF8A47E9000-memory.dmp

Filesize
2.0MB

Download
memory/1496-28-0x00007FF8A45E0000-0x00007FF8A47E9000-memory.dmp

Filesize
2.0MB

Download
memory/1496-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1496-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1496-27-0x00007FF8A45E1000-0x00007FF8A470A000-memory.dmp

Filesize
1.2MB

Download
memory/4948-9-0x00007FF8A3180000-0x00007FF8A323D000-memory.dmp

Filesize
756KB

Download
memory/4948-6-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-267-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-0-0x00007FF883113000-0x00007FF883115000-memory.dmp

Filesize
8KB

Download
memory/4948-269-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-8-0x00007FF8A45E0000-0x00007FF8A47E9000-memory.dmp

Filesize
2.0MB

Download
memory/4948-10-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-7-0x000001FFA57F0000-0x000001FFA582E000-memory.dmp

Filesize
248KB

Download
memory/4948-18-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-5-0x00007FF883113000-0x00007FF883115000-memory.dmp

Filesize
8KB

Download
memory/4948-514-0x000001FFA7390000-0x000001FFA739E000-memory.dmp

Filesize
56KB

Download
memory/4948-4-0x000001FFA6CF0000-0x000001FFA7218000-memory.dmp

Filesize
5.2MB

Download
memory/4948-3-0x00007FF883110000-0x00007FF883BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-2-0x000001FFA5870000-0x000001FFA5A32000-memory.dmp

Filesize
1.8MB

Download
memory/4948-1-0x000001FF8B1C0000-0x000001FF8B1D8000-memory.dmp

Filesize
96KB

Download