discordrat | hxxps://mega[.]nz/file/8zszyCDa#q2_FRE0cGAGYR9Ios1SuWI3QtwfWzIEpckBeEXBclUs

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/8zszyCDa#q2_FRE0cGAGYR9Ios1SuWI3QtwfWzIEpckBeEXBclUs

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
5208	tweaks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 121545.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
4144	msedge.exe
4144	msedge.exe
3660	identity_helper.exe
3660	identity_helper.exe
4420	msedge.exe
4420	msedge.exe
5524	msedge.exe
5524	msedge.exe
5524	msedge.exe
5524	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3676	AUDIODG.EXE
Token: SeDebugPrivilege	5208	tweaks.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2412	4144	msedge.exe	90
PID 4144 wrote to memory of 2412	4144	msedge.exe	90
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 4732	4144	msedge.exe	92
PID 4144 wrote to memory of 5024	4144	msedge.exe	93
PID 4144 wrote to memory of 5024	4144	msedge.exe	93
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94
PID 4144 wrote to memory of 1824	4144	msedge.exe	94

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/8zszyCDa#q2_FRE0cGAGYR9Ios1SuWI3QtwfWzIEpckBeEXBclUs
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd794446f8,0x7ffd79444708,0x7ffd79444718
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Users\Admin\Downloads\tweaks.exe
  "C:\Users\Admin\Downloads\tweaks.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,244897746240195151,14159862694868227454,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4372 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x41c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ff0dbc5478fff90b4ab01fddf9a2f01c

SHA1
1bbd31de9e79d5a55bb4f88a4541ce292c88a10d

SHA256
16e552ff1ae13f70c0296aec82861833af41957ed3a7220f20616810422c9198

SHA512
b2c0dc598d8be197e66ccaee9ef13f98f68261889fe8ffe4e214d80a424b7a0d11a1ca59a189366b72dcf57a0fca8c9eeee0ed923d5cf8d023167fce082cddc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
8dbd7de69cb2feae2295a707cdf0a9e4

SHA1
dc3f5b67bf73c5c8fc22367085d47219cee09cb3

SHA256
74dcf53e94c13ba94e66f712b2a65c77f12fd82eebae2e067bcadac975fac978

SHA512
37b2ed95b6dce847f0cd1c3b10fac915754aff8d958717430fa20c455ece21388606581aaffba47749389b45cef51c293aa4ca9b1ec4a000dcb71531c7cb0333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
395B

MD5
65360d7119d481238ae685cce3b3051d

SHA1
728a625a0c2dbba22886108e8ac1412bf0754609

SHA256
9fb337003c757ff3f80b4b7969f6dd786c8793574bd26ce7fbbbbf14a5ff6f1e

SHA512
7853a81e7f3ddfb4d751472709a1f2f4856490283a04f262185fd3b7f6cc94f23bc7e9579919a32f940408d11b9b81fef5238f7cfe39e8e1d352212c5ab8e261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
389f1141ed6b9e7d5a504d028bf659f4

SHA1
db4f081d52329b0acc76b095062cbfa7fc041295

SHA256
54d5a18ba8ee84d83b7c6574e5d0587ae355394d30cf1af66222668bc67a10fa

SHA512
cd5a9d2f61b1b8e80d6a4bf5e44664d75649d6dc7ecc2b2fe31f7ba0a23ebad78fdbc500b8d9603afd4e70f070d56fcb34e76221904662feaa4e5868797ccf89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f844911a1e799c75eba3f453821816f0

SHA1
9a285f3a68c5b2ae4af5afeb6d5fc46e74eecd9e

SHA256
3c2c518467f859c8be2806572271715eb39fefab75a0d7a6db84f3f0526fd430

SHA512
c6a4ade1c907ed73f26f76e404fd208ae9a1913e057dcf959bc7acc877fb9b05ba4c24762ac8a540c0546023cd20869c4838202466c860d74e27409f45360ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d7843a9b67328b03cd50ad0523782cb

SHA1
06c56744c2f287b9d606f1731b771042a52ef5c7

SHA256
440fe4d4b95f86d166a4a3fc46db453276d37dadb27d26548231fb68b673bf5c

SHA512
449411045889963bfa7ecab3a9ba3eb47f7dab40bcb0114fb111950d08c8ebab7037444c4b06e30c34949991c06f83ae64825f2e8a2820cb7219293dee096d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8792ddaaf1ed5e3e8646de3b9eab6730

SHA1
27587e9b66455ec6fe1b2aa8962886b7d666c703

SHA256
ae8ccefcc02590e65edfc93973e56a4f60883a068858c7276e915bed5884c3b0

SHA512
36f1da1073668642c7a67892040f4bb17b70420d15611d2ca88aacc4032a85c662e4c5d6aa632abe153b44a736b8d54a853e1d541ddd97626b7e502896be719c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c030762088806458e0c0fdd0ec598ae2

SHA1
fa60483b16a62928421a5d800f2e05134a184c8e

SHA256
f90b4486979a01a73887600af2c3c2a6a156e9a865bb1f4ef6c4f64463175266

SHA512
62d6cb93c2b03162846526db81572658a5f20909499eaccab3b0af6dd8c3ef6b3c98c45d25c4cdfbab7dd5853b83a36c20e175cfac31dec40dcecdedf09c3684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579e43.TMP

Filesize
48B

MD5
65f4f92539990b78485accca34752714

SHA1
fde506885a0f9048e1f4f9f15a3a1d0f7bad63ab

SHA256
6214c7f717f66b84a7110b6590196dc51277085611c31abdb4f8e8bb01fe21f4

SHA512
96592f74dfc9b9d11183777d6f613d2d7db45d30899c07029d5c0968bce2e18656dfb934be378dfb102e05f091a48642e7d1be57b219499849193a5bafaecbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
025325dc707f62ce3144356c3b1b7840

SHA1
e3a90d6226480241f33e66c5ab32633e0b53818b

SHA256
618ecabc6288fac9acf4cb240a8434e1efd3adc863add288475ef85fab2232cf

SHA512
ee69cf4de83297f235c7700a844104f3d487a7759ee506fc780ca4731bf322e146c8eb1bc8b7a69c12e1d4e7796f3e6a7e613b6b93527da07ece7e379d0018d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5824c9.TMP

Filesize
203B

MD5
4b9ffc797f08db5416db6eb4f4a0d30b

SHA1
0b66c033c41c8bc95c5bf1c64b5fcec3a5285278

SHA256
38863dbd59fa91979750a8b9ddfb48cd2261c8af3544f4a0ad0f8fe8526c1537

SHA512
4d205e6ef7fefb6db8fd2e09bc21288f50f5f13b29864539b420f4ea56ad48d8e46c13624294408cd0fb46932ca313cfd29094140c64516ef5d20ce19bca6719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b327a3f759631c7e3b844e294ea688a9

SHA1
fe8ba2bbb0505bfeced6043df2d86b1b0d2c3322

SHA256
6a6fbeea7c3ff50060f42a5746e8edd8fcafad7730ef5a9cd17065549501095a

SHA512
f43ecc6da42ce467f190c49d9aab0485eee09d575d33be4b7cefc2f13db0f850c21d99a20ef914930c7f32fca350067460e65f7aa2b59dfc2d7c3c7939d16a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e30c5b30395eaf688c422e9f718e6b30

SHA1
bb792aac5d8209c9becdae2ffecc26fe50266994

SHA256
5b24660273b719e28149ed2c8a962bd6f98da9fe281578e8b4c6bd4738ed943f

SHA512
efe625bb01d0ed5aa36188d93b16c4f26b5a8b03c8d054a271806686f8de5e159f3ee99d482313f2af8af972cba4fd9067d4581f2f0e2ae9240d6c4fde18821f

Download Submit
C:\Users\Admin\Downloads\tweaks.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
memory/5208-178-0x000002D338BF0000-0x000002D339118000-memory.dmp

Filesize
5.2MB

Download
memory/5208-226-0x000002D31E260000-0x000002D31E270000-memory.dmp

Filesize
64KB

Download
memory/5208-223-0x00007FFD65550000-0x00007FFD66011000-memory.dmp

Filesize
10.8MB

Download
memory/5208-177-0x000002D31E260000-0x000002D31E270000-memory.dmp

Filesize
64KB

Download
memory/5208-176-0x00007FFD65550000-0x00007FFD66011000-memory.dmp

Filesize
10.8MB

Download
memory/5208-175-0x000002D3383F0000-0x000002D3385B2000-memory.dmp

Filesize
1.8MB

Download
memory/5208-174-0x000002D31DDB0000-0x000002D31DDC8000-memory.dmp

Filesize
96KB

Download