discordrat | afde9aaa873e0952ba317b2808a141f6f7d3f4f24ff19a9a0ee88230ef1707c4

Resubmissions

17-02-2025 12:23

250217-pkn9hsyndt 10

Analysis

max time kernel
227s
max time network
227s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
17-02-2025 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document (2).html
Size

193B
MD5

9c1026427ed201a0180b01c369c71435
SHA1

f917c53783d2a6ebc7e3c4ccb212b85a6a882048
SHA256

afde9aaa873e0952ba317b2808a141f6f7d3f4f24ff19a9a0ee88230ef1707c4
SHA512

d47bacdeb73f2161078a3c185b431a95978b0c008eb934a991f5e51f0babfebe780c133121751191fde8b50a9c980024f0027f0924f5991fa69de2eb10e6f4d1

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMDkxODg1Mjk4ODc2NDE4MA.GzBXeG.IQdsANXf5vF4yFt_OatJlXeGmRVH0AzHFLzfHw
server_id
1310919517383294990

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Downloads MZ/PE file 2 IoCs

flow	pid	Process
22	700	chrome.exe
36	1144	Process not Found

Executes dropped EXE 8 IoCs

pid	Process
580	databreachscraper.exe
1532	back.exe.exe
2128	databreachscraper.exe
3360	back.exe.exe
3592	databreachscraper.exe
5520	back.exe.exe
5560	setup.exe
4576	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\SETUP.EX_	MicrosoftEdge_X64_133.0.3065.69.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\setup.exe	MicrosoftEdge_X64_133.0.3065.69.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\source5560_422804620\MSEDGE.7z	setup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\485a1832-b1a3-41a9-8ab1-3c414d99cb91.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\databreachscraper.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3440	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133842686309785248"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2555750229-3157966592-4138184120-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2555750229-3157966592-4138184120-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2555750229-3157966592-4138184120-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2555750229-3157966592-4138184120-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\databreachscraper.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeShutdownPrivilege	3392	chrome.exe
Token: SeCreatePagefilePrivilege	3392	chrome.exe
Token: SeDebugPrivilege	1532	back.exe.exe
Token: SeShutdownPrivilege	3392	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 3424	3392	chrome.exe	86
PID 3392 wrote to memory of 3424	3392	chrome.exe	86
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 2700	3392	chrome.exe	87
PID 3392 wrote to memory of 700	3392	chrome.exe	88
PID 3392 wrote to memory of 700	3392	chrome.exe	88
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89
PID 3392 wrote to memory of 2056	3392	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\New Text Document (2).html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2e28cc40,0x7fff2e28cc4c,0x7fff2e28cc58
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1744 /prefetch:2
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4564,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4916,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5128,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4768,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5072,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5108,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4760,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1556
- C:\Users\Admin\Downloads\databreachscraper.exe
  "C:\Users\Admin\Downloads\databreachscraper.exe"
  2⤵
  - Executes dropped EXE
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\back.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\back.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5616,i,12843711103448223816,8254538045504782686,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5300

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:492

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjE4NjU3MkEtMkY1Qi00OUI0LUFGQ0UtRDUxNkZFQkEzMkM3fSIgdXNlcmlkPSJ7NTk1ODMwMEItQkEzNS00MUZDLUE5NUMtQzUzRDQ4MEY2MThBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTlFQTAzNTEtNkIyQS00MTU0LTk4M0QtRDM5MjU5NkQ1NjA3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDMzNiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQ3OTQxMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5MjY0Mjk2MTUiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4980

C:\Users\Admin\Downloads\databreachscraper.exe
"C:\Users\Admin\Downloads\databreachscraper.exe"
1⤵
- Executes dropped EXE
PID:2128
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\back.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\back.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3360

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5976

C:\Users\Admin\Downloads\databreachscraper.exe
"C:\Users\Admin\Downloads\databreachscraper.exe"
1⤵
- Executes dropped EXE
PID:3592
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\back.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\back.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5520

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\MicrosoftEdge_X64_133.0.3065.69.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Drops file in Program Files directory
PID:2036
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:5560
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff639796a68,0x7ff639796a74,0x7ff639796a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F59FC5DD-C6B3-45D9-B24A-F7BF9D9FCC33}\EDGEMITMP_D9EEA.tmp\setup.exe

Filesize
6.8MB

MD5
bdb1aecedc15fc82a63083452dad45c2

SHA1
a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

SHA256
4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

SHA512
50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\57b43956-2f9a-47f6-98c7-12389571189a.tmp

Filesize
9KB

MD5
6c825d87c4a15f30b5e50dc63213c4cc

SHA1
fe044e1d6f99c2be53fa2191d3a1ff7e06222bcc

SHA256
f3c74df6f35be731410ca190bc9f0ae840346de377087ada60c06749387a405f

SHA512
6a0260f25ef4e2e6a8d11f871397675be0f0b0c7eaf18dcf5f8ea6e5fc3cae1e794fa730bd5d174b277081c83f624a963f1b48d8de004af67b0f14cf7869dad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c172db9c41194408acee346eef5d58ab

SHA1
e0d1e0bed157007c71fe1242a2e99dcadc471380

SHA256
2edf3528f9560352294169ca16e0cd9a735c7134b976367294b5bb23866b811a

SHA512
7d00d525f3a9f5f6b124e2bbf5868d2be727e80aa4da360c311f3461c75b65807b07c6d3cb511c39a56a64d48586bcd3e13f4a7585eebf0e5f350bdcdae4aad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bc525f2c3475baac281f2b6459b155d2

SHA1
543239ced0d7ede879755275d295b911048ae381

SHA256
15e6a717261052aab003c1443f3dc9fd6c29c3a8d5660475f0277123051cc861

SHA512
64a10973f53992f35163ea367ec9307a50d4c9a1fe47c5f12fafc360bea107360e2201fecb1dc69f2cf1141ea204bba812e8b37fa36910cedff238214b856387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2b554c53bbe01c7388a25dfd8bd0770c

SHA1
0845a15958cfb9dac23748f601409fbcf5e4f144

SHA256
8b4bd107b1fe5c6681251d05eb606b03fc3fc84ead66361cff48da5679051325

SHA512
02f6d5c6ecbdfa188976bb9824471e4d24b2d86e449979e92aea0e1d9be365571121116fc27abcb63b44e295fb97e6f799b826c6246cb9c1343ea9bdda4b1ad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e79aa449b231185e1ba92194ae076713

SHA1
2acbbfe2a7cf69cda9d3e8cc39745a35aa7d4c62

SHA256
d590a4a62b2cd03a92d3f2d8df0b91943aa92bc4023ea50a798dfadc75d7fd15

SHA512
5fe4cc064e64ef16692c99738f97e31c7c2b20807d475a31f6673f39650a031e577d7ce8de01a4367c2b75dce9113e40d8fd52a62d88149af6b0dbe7783b9769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
efaaec71b88ab8fbcc5a507bd8a89f5d

SHA1
97e3d4b457ee81a5a7bfb254c5bf9c726bc395f3

SHA256
5ef3f9cc3c103bc7d13fca2ed6f489cb180c7ac94c572e7d97c7fc84796ef634

SHA512
0159e374e524623dc9044126db57cb3c87e1522f731726a1071bef7bb680e09d17c047f7ce8173db4edb4e2689dbc4be8ea94bed658d45eb1ece704a98d7ee81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
542538e01a73a2f889d7edd354e561bc

SHA1
62c14a0fb4b81fd829a1340256bb26c52a7969db

SHA256
7f41fdd08be22d97e2756bff65a7e4dd43cbad36236c65b513d37ecb283528bf

SHA512
8c629068eb9cd4c7c19b31e55f71ecbe8dab3c6525ec0e431cb36b39666461ee72ef4bf8fbefbb9723b9e4195ed66b6b92d736673f42340969dc4853968e9fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ba465b5291d56cf9e48d8849a091005

SHA1
e1c3d0279a2172ff25be5eae57d3ef6e1de10642

SHA256
449f98082b440415f8ba2b3d1428dff819fcc7d02b1b877d5507580f33866c02

SHA512
793bc9096c13e6dac98d67da1c041c48ce37e0d724e744b0f714804165dd0b996f4164eb1e86526e6a477644febd1fdd038a550b54e4e5696bfd95de9c686cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e532a5b7a6e1bde2af04b6f729c3c75d

SHA1
5d1b7662a982a688dde7d1c969a79cd9e72e1756

SHA256
02d05537dc6c48f2fee6ac07e54c0ece36ec9f709c889b062023759fb9f52371

SHA512
111c5da0044820fb73834ca3e96db5bdb9a5e0d0da54bd3dca30702543eb8fcc07f22a6417cc3468f7d0adc111767603c27f19af22e51a05811ae0ec4f475ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
feada61079e0d582821c69bc2884bede

SHA1
b5d6c7f81f6674e8863987c204ac0adb1f5bfaee

SHA256
50a7561abe34b76e9da831e702e3bd759010a02758f17542ab1472206cf535f5

SHA512
4e2e3fd77f7d762a94856fd65d8808a6c51da5b679bcb78c1b9892af5868f8a293dc5310d0223f3675676e0fecfa22edcde888e0f6e7c03f632241ab7dcd0b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d7731bb3296190879935d0c422588bb

SHA1
839cf4a6aced5e055edbbb05d186fa9eb33f4534

SHA256
cacd24a240b601c40207db90676b44c48ee5bc0348f630a05a254cf7e215a8f6

SHA512
0885f2f9beb8fadb2dac2452e7e6798986d70f0caac4b66528d3c5bf4a3cea14a6302d1e7759a8c3d75ff1b0ab2b9c3cbc74a5538387439d04946269e60b9147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d22b24757404de089bcd85f74ed4f6b0

SHA1
7ce9807a95bc1f1eb2d6c1f3348729b1ba1ef253

SHA256
66cba9712d60888f026b4e7e9c1fe49b16c4b26b2aaf196bb812e85372075b27

SHA512
27b015335ab65d33b90a811b37fd99d8a58747b3f4554752ef93342fd47251bfbe0e7bbb7b1fa08d0a1f09cda833a6ebd7cfd8fd910144377c7eb935de26e0f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bac2d0a917e85c113173f447014dcd70

SHA1
839ac1a3c3bb29b735727506b3cf0dddc534959d

SHA256
3fa984fc8a421a3a0f1ec3ca525a5bb6cb4b123d2885bfbf5b1cb6ea729279cc

SHA512
2e97e8b15c157d8eefbcbb7d7d33a99abc78bde1b58ff1762da6594fb07f080e6f2f3bf6aada869247cfe4a7ddfa7029746455cc6dc68e07a2aeaa81df4a5e66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c9157b33a7b72f00b7cd9e0f9c2e7c33

SHA1
89ebb5e241755f0de24360211bdb48e3ab3d321f

SHA256
68524db9864084574590e9b9d42f4c96248e0841c7e00d7e5d36dc4c8a1ab14c

SHA512
60431efcfc1c0206179a7f6303ea1774ffe48952402bedee09b2aac4ff2fa47c4fd46371da668dc750ff7598a68eadf79806a71971f1b2e00bd283e859dba9b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f0736ceb0ab2673d792d891da605882

SHA1
178feb0a53492152e07bb581dce4d66c04b58952

SHA256
69c2d04b20ac27835e894f2a48443150ef638c156c419af5236f0576734875c4

SHA512
add429ee92cc7a98c8613c9c970bb07842d85a6da77e849d8eae7f37324545c549fa6d5327c174735443bb7d38ee042e1c9917d5d4e2d148080889a9fc78c03e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a451d3e0-1da0-4278-946a-1672c97686e7.tmp

Filesize
9KB

MD5
d9b1a57d4948bf95b43163346dea4792

SHA1
30c027c677d5ed9ec15f4c2233f4189bca26a171

SHA256
60cb46d87680a6b80f392bbd1149c25d76cd31bf1ce24a290e8f22773570b6df

SHA512
68d6d47fc32fbf462b1d0602f9dd3ec69a36d81183dbe0db07a13e72c66296cb98672710743e2fb56bf0baf6fba6801c09bbe2931c91ca925ca2bb8031ce0bae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
1cdf73f982135837214f73fd2ede0b41

SHA1
8e12392abc0a7e78282e806d71b1d00272357ba4

SHA256
f2ad7fb17fce0bd9eef3192cd13e7f4477cf0fe7a48895b79d2cade8c2e8d543

SHA512
1e3aaaeda4af635a78229be3e1d697286dd29701bf8438e0dddae57d0a5547fdb200e130f259c1721db3a4aba95d983176651006d61ae8c9bb531af710326f90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
0c326c527b91cc31e8d202201031d6ce

SHA1
d3cc9ce739f5face81c226d0a7ece1c5ed788e05

SHA256
aca30999a63ad5b9b01eaec85e4b45f629b1e93fd79bd0a8e632ed6c5c47481f

SHA512
077935a8420d731ab6f0cf0962554a00f7dfc7e15463faeb1e02d9f1f003cf53e8c2ce42eba550941ad3ab26f929a597f8c4f8d1c0c8722d57960e92ca14481c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\fea6fc32-5cad-4ff0-9bbb-8eddf2ee0268.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\back.exe.exe

Filesize
78KB

MD5
3d44659c2dd4aa6c8dd0e21fd29769ab

SHA1
3e0724fc329780d69a92bd73919924f6234cd3fe

SHA256
6795c0e852fa9d12ccd72e08bf0eb701a5f4f928cb72b6de61fe15d4a8fc20b1

SHA512
1300172a2c87ec4d37db051f636c76042ace4556db84051ae61159e86f79acb4fd13268248bfe6b78198729b095a649a969a1e741d81e72fae9f1c29afcb41a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\picperms.jpg

Filesize
18KB

MD5
f061044c48793fd6d15dac694d4d878d

SHA1
b6900dcf3b604869a1158081d67eb9973c267efe

SHA256
045cd1aec7b97f481eac17ff58e4d1522e06704db9ad02661e66a0bc934389aa

SHA512
885990ca88c3215165fb459b0b8cb92b5dc5fd3056c06d1d4023bbfb86acb9f1e698bafb6e3710ba4fd74b3bafbdeb8bd86db2b4260cbd9e4e0f5ae8565f7a58

Download Submit
C:\Users\Admin\Downloads\databreachscraper.exe

Filesize
475KB

MD5
cbe2f2a631cafa3abf6169b419e84dc5

SHA1
20ac6d8060f99f16a92db8aa55ddfb7b2f2997c4

SHA256
f23839bc1f59d1cd4c542169e22882ac68063a169ae6f3e25e82b91c5e300b58

SHA512
0f879a83e08f43576786fc5e561c73e1eeec0799574e5ba3018b88b96b1abbd177385f7b0b3db3d97fdf1328ec2b0813223ab725915eb57774362f868a076d1f

Download Submit
C:\Users\Admin\Downloads\databreachscraper.exe:Zone.Identifier

Filesize
229B

MD5
435b14dadbfe413ae85b9419298aec1e

SHA1
0ac6bb9e2b0d0664aa95274c01657bb5a4a4cc85

SHA256
1b63d4a3c480ce4e05903c2b23f641c5006a215bd96ed9821c9990749a970a39

SHA512
7274813f06a6f7cd006b920fa39b2a923064f86726d8ae58e116964485c9f8e061c7bafaf2cf99347d8f11dee121bd98105a6ff9088135981e9f7946a8776123

Download Submit
memory/1532-103-0x0000022CA0AA0000-0x0000022CA0FC8000-memory.dmp

Filesize
5.2MB

Download
memory/1532-101-0x0000022C85C00000-0x0000022C85C18000-memory.dmp

Filesize
96KB

Download
memory/1532-102-0x0000022CA0250000-0x0000022CA0412000-memory.dmp

Filesize
1.8MB

Download