asyncrat | hxxps://github[.]com/adi33333333334/

Analysis

max time kernel
138s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/adi33333333334/

Score

10^/10

asyncrat discordrat syntax bootstrapper discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Syntax Bootstrapper

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:6606

127.0.0.1:39473

lolzpopbob-31243.portmap.host:7707

lolzpopbob-31243.portmap.host:8808

lolzpopbob-31243.portmap.host:6606

lolzpopbob-31243.portmap.host:39473

Mutex

gte9kAyhP56e

Attributes

delay
3
install
true
install_file
SyntaxBoostTrappera.exe
install_folder
%AppData%

aes.plain

Extracted

Family

discordrat

Attributes

discord_token
MTExNjk5NjU3OTM3NTcxODQ2MA.GQCXQH.xBOhNgRuTYbvNVUNjtEDkZuxt-O-554xPfUm04
server_id
1116412300795072686

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000023db1-294.dat	family_asyncrat

Downloads MZ/PE file 2 IoCs

flow	pid	Process
14	3676	msedge.exe
14	3676	msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Account Recovery thingy lol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Account Recovery thingy lol.exe

Executes dropped EXE 6 IoCs

pid	Process
3348	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
3448	SyntaxBoostTrappera.exe
5092	SyntaxBoostTrappera.exe
4576	Account Recovery thingy lol.exe
4840	Ro-Shard.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Account Recovery thingy lol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SyntaxBoostTrappera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SyntaxBoostTrappera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Account Recovery thingy lol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Account Recovery thingy lol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
3924	timeout.exe
2068	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 939019.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 490600.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
688	schtasks.exe
4972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
4640	msedge.exe
4640	msedge.exe
5040	identity_helper.exe
5040	identity_helper.exe
3044	msedge.exe
3044	msedge.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
3348	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
4092	Account Recovery thingy lol.exe
316	msedge.exe
316	msedge.exe
316	msedge.exe
316	msedge.exe
4556	msedge.exe
4556	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	Account Recovery thingy lol.exe
Token: SeDebugPrivilege	4092	Account Recovery thingy lol.exe
Token: SeDebugPrivilege	3448	SyntaxBoostTrappera.exe
Token: SeDebugPrivilege	4840	Ro-Shard.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 2496	4640	msedge.exe	84
PID 4640 wrote to memory of 2496	4640	msedge.exe	84
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 4504	4640	msedge.exe	85
PID 4640 wrote to memory of 3676	4640	msedge.exe	86
PID 4640 wrote to memory of 3676	4640	msedge.exe	86
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87
PID 4640 wrote to memory of 1852	4640	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/adi33333333334/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8c4946f8,0x7ffe8c494708,0x7ffe8c494718
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Users\Admin\Downloads\Account Recovery thingy lol.exe
  "C:\Users\Admin\Downloads\Account Recovery thingy lol.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SyntaxBoostTrappera" /tr '"C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4352
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "SyntaxBoostTrappera" /tr '"C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2640.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3924
  - - C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe
      "C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3448
- C:\Users\Admin\Downloads\Account Recovery thingy lol.exe
  "C:\Users\Admin\Downloads\Account Recovery thingy lol.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SyntaxBoostTrappera" /tr '"C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3640
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "SyntaxBoostTrappera" /tr '"C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2DC2.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2068
  - - C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe
      "C:\Users\Admin\AppData\Roaming\SyntaxBoostTrappera.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:4316
- C:\Users\Admin\Downloads\Account Recovery thingy lol.exe
  "C:\Users\Admin\Downloads\Account Recovery thingy lol.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6660362710023716531,7096679189255207212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Users\Admin\Downloads\Ro-Shard.exe
  "C:\Users\Admin\Downloads\Ro-Shard.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Account Recovery thingy lol.exe.log

Filesize
522B

MD5
acc9090417037dfa2a55b46ed86e32b8

SHA1
53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

SHA256
2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

SHA512
d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
33KB

MD5
dba9415b6976cc91356be011d9f790eb

SHA1
8abd55fa5f1454a5d3526c445110c57b734aec3d

SHA256
ecaec88f55cdca4d2d905798e4126f5c414b84ce2e9f1c3287bdb30cafd16e78

SHA512
487599d633c941f1127cda589bff3045a1ea5673c8abec8f7ceb8583c86ae6af5928f2e098e183dfdaeee760e941dc364c538ff15389d14426142af5cba1ec01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
21KB

MD5
f96980d9c911ab72741588796be66dc7

SHA1
107a4e878ebf759cffd01bde22fb87dce53a76dd

SHA256
c9e35cf2f14405e131d25f7216a31b422f693f7a8a4c96cb6395228c90fe1344

SHA512
511a26876a3f8dc5d162e51bbd71d8fdcadcb78617aa0b4f6e56413a164dc272fa2e80c6cde0243ce95b6aced3b0a7711c6a153dfe99bf0b80f86a026813e7cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
d2610a5d8eb0910f15b4d0ba1db62ad1

SHA1
a48324d4034a4aede07736a1e1236edc09f82109

SHA256
30cfccf9517449b44740afc542d5ef80255071b5fbf4f36d767bd479dec3fdb6

SHA512
06c3abdb2ed0d6b9ab1f9b2172b1ac28862a8b27abbcc64250aa43302792cba76a201b2b1a180159a50658ba34657464335cee2f2cd8511e34133657bc1b60dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
54d2c504f0b710269a13bad34f552abb

SHA1
7c79631be828cd1fa04030b63cf9e23ed29571c5

SHA256
34acf086839092fa81d02de527db37c38c72806b7e53fdab9a50570cba953e47

SHA512
83ee68e560a33c5fa39527e1661a30820ba22b2c617a4ea40fd2f0ffdc44c167f1c91385e7aa3308e99cd2855e6c47cae2c9495dd386b3f8135fcad722f0b267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
16KB

MD5
58795165fd616e7533d2fee408040605

SHA1
577e9fb5de2152fec8f871064351a45c5333f10e

SHA256
e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e

SHA512
b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
20KB

MD5
06c0fbf7408a8c67ccd86a9f4e71c79a

SHA1
6832e20cf5966e44683d34209ad9be9e373b0d02

SHA256
e208e5604b3735e8d8066e17be389a4f37359e4c861090e854454ba0c4f4aba6

SHA512
b7e342cf6010b4397c328534c9aa64d383efe1b5e7a6106f2ca1b05233f665a4267264df57535f195bbda4fee0a19c7a8b2972c9e2ccded5f85d5dd95a7e42ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
16KB

MD5
b4b137c454fdb6b47752980f25d190af

SHA1
b11f5dd4ec6713b6a16f73fa67001e6a0c83bb9d

SHA256
3683a602473b6942fd54cfd1e6e4dbecb36d0c4051f462efefa1236023e959f5

SHA512
72269e3392328d466012eb5da80a34ad144ff0280d2b5652c2cdf21b964a418bc432f26c3a9851fd4f8e49ed51753af8582fa2752db2bf4bc802662364eb45af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
23KB

MD5
59bd3cc5698c77cab358809273839dac

SHA1
3b0f10a27f731d069e1a6587786eccc433ca6497

SHA256
f29860c2c673ff7807bb4f4bc06dd1c4fb4c561a5caf10d870317c4aab88190a

SHA512
9d10ba32aedf6d62cf1e78836d9b7e5872c2e940ad25e855e77ef97217d50c5ef25a595498c5a1509d0dc3b7c38101f69f455627aace381b3f22c82f59d6d76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
61KB

MD5
2fa57b4017bc43adb0a40c3c862f0430

SHA1
3e7e1b6cd194a1ba84bccee0eeb04a43308d6bcd

SHA256
3065913cbf566936b0edbdbb39b8eca2177182b043921a2c3289ba1b6f4fa785

SHA512
b951ddd7c123746663c3908f9733ba27359de9b4a41b315f10df059efb3ea17b01a19ec55657c9738e182ef1bec5d426c66b7e4d723c106da8c34388e5cbe27b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\12e2c4b18dbb728d_0

Filesize
12KB

MD5
bfb73c035d9dc1d153c7d4a70043198a

SHA1
0958a9281946e11ebb51d4b3adc5b9a9f7c40fd8

SHA256
96ec3d8b6476646c83d15a0eaafd6c64122803f86ff4a92b970f050626d119f9

SHA512
5bb4d7d938afa7018b72fc6795f72fe977c334e33276318dff9533df37bf29785cba41fb0acf74a16bbbad6046b64c4148a307d0bfe15228185bdaea41244c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\154000feacda5f15_0

Filesize
313B

MD5
4495357f37e44d158a02baa6d1513db0

SHA1
aab86be9fc9d0e15248a2aab674d22e2c8b68005

SHA256
cb8f57d4b86654c5e91aa9fd4d34d14ce73bf6e2d6a09b883ebdda2afba89229

SHA512
d42a8f8c5d1915886cff5873bce37915751e8f48ff19eaf03babad3e9b1eeb3d22da706944ae920473103116d20eea2c5d49ae999c2833eb91590f2038b5bae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\172b237bc017862d_0

Filesize
6KB

MD5
8587d0ad4801ceace9ec16a42333fe1c

SHA1
2cea682efe0b5ca0c15e75a101b8f6e844affe85

SHA256
cbb5ce2b9fc41c8735f8de1cdd37c46dc5c7dd65d451c45dcd9429c1cdeff7e6

SHA512
505995dfba3062ed376eb680b457ae756d2c8b7872f1e306ff7b6fb49d90712ef47698dd9b26212384abb1585f02e6cec78694c35c81e18ae28270150e431214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\19152b7f8e8efcb9_0

Filesize
2KB

MD5
36e1446e7b1631072057c11919e854f9

SHA1
66d0a1545ab60b414c2749caa66455073f07b805

SHA256
a51a0148dd84b1e531dc95b5d0f5c66ae39cc38f380e125ce2650ad886d5f8a6

SHA512
43a07aa48cf4366c9166af4662d627a4c9afcb196ab3b5de62591909fb045219465ad14ce93ce1c0ac264cb5caa9de853a71584127d7c40fff938da0397de66e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25d24c50d6908129_0

Filesize
2KB

MD5
f4f91162bd356c22666ad2bcc1f24435

SHA1
f2559dbd72a2a2f9b56188d72905f380795a6414

SHA256
c47602068f2acdd99001809e17e7e1c47532451109617d63482b7abea78e3fc0

SHA512
3c71050174b34b3f5d556572911886a62948452a59f6ef26721e93c8ba09e35e4876d3e09ed62b5612888126441f342ff1237f9d1680f636ebed2521b369bd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\28432a65d8e588eb_0

Filesize
29KB

MD5
aeea31a82fe293a8647aec8e5f5a6421

SHA1
7dee8d3d142d32b053c27335aa17744cdee863a6

SHA256
d0c9e10b9f7ce472ddc984e3f8af65249a2544ba896c1c3052dadb295e3f5168

SHA512
6b8e9269bfcf005f4dfbafa65bad931098cf889e51120234aea73728071cb6fcdf21086ec2fc392cdd3597dbe8dde7639264d3555fde56a8320e2cc476dbdb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\37937608fe0d98d6_0

Filesize
92KB

MD5
45a3004b5bd6ca0906bd7c4b981f0398

SHA1
05b2cb23da7cccf8707529834c7c38f12a445954

SHA256
4ccf8293206c856020b03694196602e44de1187dbd1ce19986c2d0773b785944

SHA512
ef7562d0a26cc6351993f0df7d236a3d40bb91fc9b87cc6da7f8d21a0a0ccdf804b21c709f68ed98f3580196bc2d0823398cc5cc18769abc2e3c7ec9063b2955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\44d5079ad5841b25_0

Filesize
7KB

MD5
7ef21df7f93727262c1768f43dd6b203

SHA1
06fd42845a6c0805baa445a1a3e19e3a99cdd777

SHA256
0dd989ea34670a3ca3abeea087a945dfe8909e134fb2b8f461efab01d400d139

SHA512
d7bd4688e2d1a538fb121acc67057b013a9c526e786aede5db83d37daa167303ee64346deb164f61ac165b3f4f905b3b999d2f66a9b43483ba1772ecbe9665a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d0b78a7984afdac_0

Filesize
2KB

MD5
362e9c41479b5aea36a48ce2d4be2882

SHA1
63a2235ebc71e5589b6580b29162795707300721

SHA256
c5cf940a3292cfaac7c11045da177b5120932d6065a41af443b56332c5824f98

SHA512
7a08f40860b355f212010be71c3d4348eee5c0c7c6548ac535ad3d0e1a45acd0ef5df07c760da39bcbf33c7e1721ae0fa027b1e859addfde8fb2a313d3e425a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\89db893576032902_0

Filesize
8KB

MD5
5b3bcb2b1f191e100c8448214b9e1a1b

SHA1
7090fb3937702bbf7fe1cfb64e6c3dedc3d87ea8

SHA256
d827352e3c9c7f9b8d6670d745d48092e1241cdab637d043fb33965a09023358

SHA512
403c22ccd80c937b877ea6da67b633fb50b6da0d6b2d22186d222d7c5d2fc951d7ccf1df9675ad2af01a253fa9a7c5304a4f8b9e4e0f4676c5bbb5fa7fbe1f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a69226eb7e1fcb4a_0

Filesize
1KB

MD5
27aaf426944084509d349e2d906ffa36

SHA1
79a74c07a00dbcc6f93882f23a7fbaec2f8baa52

SHA256
c33f109ab0f051b7d96ea19b93328c506de68e5da7991660fb8546032b16bbda

SHA512
cb485da0a309dc226ffa82a38b8cdc189097661af541ff0d3e5acb71504489be7ea97f3298cfe938456fb63d94dd8d94acc8bce82c1e7e884b2cb467f5e04498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bb73c6570251aa2d_0

Filesize
34KB

MD5
b8bee7db717354edd84ba1b1ef8fe698

SHA1
45715be26ed5980e3bdc4510ad136cfd503164c4

SHA256
662127848c337469d3591d16b15788889d95258fa7023336d625fe175434c0f5

SHA512
2f9b58241e36e11715aab3faec3ad30952e485df62f50ac43aa6494fb50e14ca39e874bd665d6f82a3c9ba1f05dc48950cc5a4ba0e01965c04649f442f03ddba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ee08c28427b16c56_0

Filesize
1KB

MD5
25a8c0cd31b584af0823c67fbb02bd3f

SHA1
88f43b1d08d223c70a257110c0edeaf6a5251802

SHA256
5e5286ada18deb8f128687318f6ca3435775bc1658e38ecabfba9c5e7f894df8

SHA512
bce43613d76e1173618930ed81cb3e9bd756c391a25e81671de21e7b545aaff6829318e1686c842ef2b7b7afdd63de980e29485490ee17596689c19e0037eada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f0572c9ab2f19dd1_0

Filesize
10KB

MD5
f5cbc179343e43ce843cce98f1865e11

SHA1
aa818e8feabdec6c6cfc9bd765b8929c1960978d

SHA256
8bff8cf696529adeb6074528aa09e2a336571d3e0e287be90a247740fc1580a5

SHA512
a6e634a1d4bdd3ca7418c32b205b5e887646510dbe71442d035c2c8de097b25779eaffc275df675109fdd2519b3b60cee1a93eb8e737532aa23542b1fed583ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2508f9f774dff5a_0

Filesize
11KB

MD5
27abe66c33906a929ada8d08eb6a82c3

SHA1
e2a0ac56c38a5f32bcb197a7d29b8423cfc84e31

SHA256
860f74d2ad4ee0ad89971f9761a380fafb0aeb342acec77453ce0d8e896394d8

SHA512
0b044af5a1808d0fcf6a616548da6569aa45dd6ffe713f1802cdc72ea0964ce99a9aa5ae72ac69c6cd6176df38a641a77e147971ae9415f0b41926a2ac534dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a03df0aee5322073c3724b8b2e5d56e6

SHA1
50c7cdd14ec379b636b6f61482d846032e928a44

SHA256
f01c764ae46805067706720bb9bfd995be4f4fc723b1ad39aeaa872bed9fd1a1

SHA512
cbcf93c865d3989382ea320d3a43aab2f450c614b7c3511dd7ba4a336436a80a161837bf8eee44eaa6bc20a99110c795d2444e4fe5ba279ea67a05ad9a26f133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
34ed453cec15d85236cc71b0912e4f90

SHA1
997a74329dfbca25b343beb921642a7a838dcaae

SHA256
8255769b3215fc51717ff3a7525c4e803cf0122b8fcaebe39498d7ab7dffc80f

SHA512
cf3d7bc39d01451782595a7bc58bcb92129902d5c9a1b90532c08cb2bc93a5350c2a6d4dd66baefa156ab8f5a3db7c0442b0f3df22ed471b1cbc3787bd096a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6d480e9f02f75901ff95aa1abe79bf52

SHA1
f2536ae8e1a1529faec22ce29dec48a1977df3ad

SHA256
f528ca6c80d476c0c7b950f3e1f2aa30efea7dba008d38da7a61906492126ab7

SHA512
e34ad9d492a8628401957b15fb5ea29070002238c9bbb7eb42c8faf9e96e1f6e89fc41f000d75796f076d750391b07a4241e91701697ae6e63f4ffae1f384bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
d22266ba3d8db30279b96944f0cec985

SHA1
44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

SHA256
77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

SHA512
d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d84546806e9de2e041c847917d50f63e

SHA1
2ecf9c67827c608e03ca27b7eaae850d68e366de

SHA256
a0303530bed8475fe65b97c26e029354a10ab13103acf2cafbd9a93b57e83668

SHA512
adb0ada7665430e76624b020047d98f2f7faf4e219298ac9af08528af21252532f56a75b7955bb56a57fd5c2285a180015fe343cf410250cc6eea49b9988c61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2dba6b3a8d41eb1bd0f512336fca1223

SHA1
b2253b757bc3362a8c3a9a6e8b3b23f240ab704d

SHA256
07f6847008aa3c78279d1cb7909c3b751cb48dfeb87e3a28cb572004bb80cde0

SHA512
9e42c9782b87604601e683ac3a4cb16201d7056850e23209c9a6daff18282a53d11f9d9055501568d3299e6a5704325e043c654af5585d22c2dc12c770ce3904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d705022c9f492e45552972512f29e9c4

SHA1
c98a342b89d565d8d0eb277c9942d10b1088ce39

SHA256
7ceb0b28e3399fe78ec1720a22e64557401dbd309d86441299fdfd8ad147c354

SHA512
8b44aa215bebce17babf30c6c5df81e2aa1f6b9835cc8337bb6f745519a146ad2acbe99448802822b3b372221ed9827ae832aa92358a3dd7d89a6d0d5094c050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad2356718c4d6bdcca9963855157bf0a

SHA1
d29ac46b12bda66252cdd90c33b9faf131c68fe0

SHA256
462eec83ba7ae2e7114d29c7669aa724c29dfea0b29a13f8a8e7321580a56837

SHA512
53bb9f2c80c7570ad9250530caca3c498b581ede92868806e071f475aed303aca405a8d6cb4f37611158cb9f2db4f9520559301f2bc32081db0afa3af55f9e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cfd4a8a4e91c534f5522b21e0feadcd3

SHA1
9bb0e927e90076c2f97e057b39e4204836a21e38

SHA256
b7bdca1b80d62086de7989ca7d5d7acd9c363472f332212866c4acee360813f0

SHA512
03539e0985135b83624fbf629a63b5ff5df0ae5efdc641bf9dae7e64f92e16a121bfad24d368e8fbc4f78acbca28b0ecff143b5ef873cdbde78339fb6004deb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a2ba47d123b6acc3371744fb097b6bc

SHA1
c668d345d7707bb3819549aef0e0d68952d583c7

SHA256
53bd879463e11dc037ad52330a95e2e6ed58bde6f405477333bc4259828b42f8

SHA512
8d93207e20100216f46470337752868a02d92aab3f7f47844e17e524386f532ec750e13ded12ef8d31461397fa71f9221e4487541c6902d88a392ee523853e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a9bbeb8ef888acfa0700ba53b08a534

SHA1
fdcc5e5487e18eeb9a2b368ab9a2312a34641fb9

SHA256
905b3250b671a6ccb3ea283b9d2dc9bb97ea9bc285af8cff10d61bf01d071267

SHA512
3eb38aa595e65ba0375f0037afcea17fa91a4bd3ca667f2679e877c171eca0a88f71d45ce23f3f180f111413e997171bbb35b1d6c05a4e50ae4791c317a95d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
d33807d6bedd65d8dbedee50df9ea875

SHA1
bf6fe3741453f63cdedd636aa9e82bb35b8b5402

SHA256
486d0f230c5681902bebf1e791805a30e9fb323b0c63aa573ee142f358430af3

SHA512
c28aaf2422df6bd6baacc7c461df9ca0a9fde33ddf918157bdb6cc9d7ab103cafa93c45f15b8e169672550ca3fa78eb3e0c6fa8f5a6a3e0c58271b54c9ab7549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e3976d3c1e4e9aa6a1bcc2ec1b9fe486

SHA1
45966f7cda0606bb2628930e062d31b2deeea22a

SHA256
c903ce081557b7d5f564c5351243b79889aa1c319a453375b207f9dc98d0ea57

SHA512
09ba1eeb647c721a849f6547efd8b81a826518c176d985e21e8ac4df9f9a6e050b32edc1cc05dee6993b3fa1adfd23d25da4e2358f4fdbc13f0e9f34e874b158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4063b735247987bd957b8eb9be8999d9

SHA1
79dd573c46f4f5402c8961fa8eacbdbdf2ea7f31

SHA256
99e6c8e2bdf473408559e9ed9f7278cb59b522b9d41af90925fcc3b270f39d19

SHA512
9b6c53f19834eca9993b1ef1e62442bb1f5a1dd294778a97913fbb18aa3b9328a35c225610f24f8f2ffed82d90bf1c4f2f7791aed2546cea71f9305ce5cb8ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d3e564b1edf48e1c6d3fb959fbf9458

SHA1
df71bff8932ba5ee9f70d44e7ef5f0a12941a777

SHA256
b55801d11d2713d59b1381449b0d9ae0ebee150701a567ce13a87e292924dd5d

SHA512
77d14048741371b5bfdf53a5d8073d6debc792dfb295c2a27cd61666637da7fd81d8739041a6d1b61b322fa22ca3cde0b0b20e5666e59a00cfc6a955247f52f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c01eda0896b266b7ad4c7ff1e3759a8b

SHA1
912bde618ed5f1f28773b57046b168628e292f5c

SHA256
2f49dd8de0f9a1b2bf639ae54b248153970d20e4011f12b14fb8876becf517e7

SHA512
158851845266eb28d8982de0284adf70365bbfbd705b828b8625f4881340333a376c1997ebfb5a1a83a01a7258f82138f17a00a998cb21b750256299f321c07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
83d38d9aeddc3891ba9d827d759c14e9

SHA1
70b15b2407cd5ea22e1ec8cdd8e93128e62d9aaf

SHA256
bbdf74cec243f380ee7c2818f75d838067d5cf11e9ea9d8410887546609a1bd0

SHA512
eed36177121158b8b943ecc950b10b2f4402683442af5da20d90871e18b1f70bad0b5b938973b128bf351c2a1e925d6653013bffaea94b7e5f004caa907102dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
71abc7de4345d95cdad6003ed5beee5a

SHA1
04bb0908afa2cf6f9694a2bf3c9f9743e72d28cc

SHA256
5be5f91966a7a86ef1eb701524642a84d32d162dcc726e45028778b81cb061ac

SHA512
8379b6f3d1c6cec82d3cd45a5ee4a471caacf5e909d12d8a72144aea45ff793789308884fc9ea7d7c9f1572a490a7a200dfd5f71ca2fc9699d5328b4157ec912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f488f66f72fc28c51bf32e2fb2866c0b

SHA1
c4f909c2087af88571bc485e8c274ab5d9c5c38e

SHA256
0d272c3bd3ec4c44310218c563d8e0b754bfcaafc98078cfeb8d4165ac246e7d

SHA512
29a15595ac6eaf9ccbfc85289ff283e0c487574662dd45cde24008acf0ee701b86503c5b3c9f5fd7a5b89af89e1e78b377c7d48a628dfb0e06b758af0d96c099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e30d.TMP

Filesize
874B

MD5
6604925d0276a4ad2341d1844e28149b

SHA1
71ce2ff76f48c5c75042c34e451181d5cc00fc71

SHA256
5a6151c9aa8dcaa695d9da60a79b02facf9152558d48660c3e2842227287fcc7

SHA512
3a1b28c73dfaf9aa28eaa7f787563832be56c3850005cd2aed243111cd04656d0e726fcf2b7e9bc601662c1df2d6b5b3c2960215dee2b440bb6aec5bbd9601fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd187adcbb74ce327a29e0488b1da071

SHA1
e6b48da0a3123caddb507060154401d2c23ad3c7

SHA256
808e673c41755addf48f8c6c0970aaa4054ab4148098abc5b459bbc326f0eecd

SHA512
c65c4c64b9de31ee108b4635eaa7324f29453f67366c5f4a66dd460b9f85c86030bd29645f93a02f954fd6748d68a101c177f2d7ac2fae67062a21ea12d618e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d9c83a743459f0cfadcb9c407aa4f8c

SHA1
42950b0dcdb5bc07fa27b1d425f1577dc159b7c7

SHA256
e929d69f6d51f7e25ee8065d1cad6e64fff5a6f6bbbfc230bfa6a4b36976d930

SHA512
ad8d84efd7dbcdf2c84aec738f2446b22ee63e3a104537374d452cc44ad06d07c617a4993f16ca2fbf4e1c6c244607bac89c78d50ab3128aad320bd283f15c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2640.tmp.bat

Filesize
163B

MD5
6e40c738a44678b299e2fb72c2a13035

SHA1
a310db7d6cbcd3aa04bf2ec01897000ebd325da4

SHA256
b4936d05a1c7a2097150f75ce5156491ee1b4318224cb319c4fa54c993f672ca

SHA512
874ab110100c5155442d9fcaaa7c1cb94763c89836559d4795c1873b57ce1a7dd1ce743adccde5a662ac4fcf862a6b6dfdfe91059c73da657d40ceb2884d4c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2DC2.tmp.bat

Filesize
163B

MD5
b3ab468c397611891c8f252f71195f09

SHA1
6e4839f7228314bcb0ae32d3b8a61a3983822e9f

SHA256
c8971022ec929884053733df74fcb9dbbcef2856115cc3972f411a39f90a9426

SHA512
1f70529901d041731e751caf13b42ae7984af496e5c3dddf7bc895e0db5a5beb00c6e67780edaf71cfcb1942c17373bc69629d76f93b7cde04ca879f2d9c7608

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 490600.crdownload

Filesize
78KB

MD5
c2efa89fe36191552ae19d0a0ac77b12

SHA1
6a9ee581d8a150cd4977cfae2a65f5971e27924a

SHA256
b518c53ec73a78ed514f40aa6db4b2798cf486594b50503f081247b6e3d411b2

SHA512
54164777c4e101d17d490a3a9bdb31f12fb92ad5ecf22efd43992e0b469ab55a788e9c39bead429c8ef9ba5455d4bccfa4e1f1af09d134a9bf9c81937af2d212

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 939019.crdownload

Filesize
162KB

MD5
ab1ab5e18377c25d70fbd48e4b719b32

SHA1
b32279cae9dfe21dbbffc360accad27a2c325390

SHA256
f3a046129799b4aebec57050fbe54848748c0c4adebbf13b89990d6d13d0325a

SHA512
5b73b0f56f6b8323b244bca17fe34a520206d7cf200c49bcb9c5fef9d7614ab61f86eaa42a4c6d582716a9bca50decc1ea55fe8648855881528638b39f9dc038

Download Submit
memory/3348-321-0x0000000000700000-0x000000000072E000-memory.dmp

Filesize
184KB

Download
memory/3348-350-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/4840-869-0x00000158C4A20000-0x00000158C4A38000-memory.dmp

Filesize
96KB

Download
memory/4840-870-0x00000158DEFC0000-0x00000158DF182000-memory.dmp

Filesize
1.8MB

Download
memory/4840-871-0x00000158E0480000-0x00000158E09A8000-memory.dmp

Filesize
5.2MB

Download