discordrat | hxxps://gofile[.]io/d/EpisFG

Analysis

max time kernel
136s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
31-08-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/EpisFG

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3OTMzNzI0NDUxOTMwMTE4MA.Gu11rN.Rd5L1lKFg9KORYC2Acpyz613CN8ljgcppT0oso
server_id
1279122304999100426

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "6"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "7"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Rat.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
680	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
4324	msedge.exe
4324	msedge.exe
4788	msedge.exe
4788	msedge.exe
4660	msedge.exe
4660	msedge.exe
2976	identity_helper.exe
2976	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2428	firefox.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2428	firefox.exe
2428	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 5072	4324	msedge.exe	81
PID 4324 wrote to memory of 5072	4324	msedge.exe	81
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1284	4324	msedge.exe	82
PID 4324 wrote to memory of 1264	4324	msedge.exe	83
PID 4324 wrote to memory of 1264	4324	msedge.exe	83
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84
PID 4324 wrote to memory of 2092	4324	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/EpisFG
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96ee13cb8,0x7ff96ee13cc8,0x7ff96ee13cd8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1784,14624896336218680647,14293875852712525603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Rat\gg.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:680

C:\Users\Admin\Downloads\Rat\release\builder.exe
"C:\Users\Admin\Downloads\Rat\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4888
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40458fad-2631-438a-86ad-5cf4d387ac54} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" gpu
    3⤵
    PID:4636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b862b17-58a5-4f59-a771-6e1fb8bf4d15} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" socket
    3⤵
    PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 1724 -prefMapHandle 3256 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e9ac18e-39e3-41ad-be5d-ff75b8604be1} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" tab
    3⤵
    PID:4192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3592 -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3600 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {625c7a14-a3e4-4029-ba15-968b84c489fc} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4308 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4328 -prefMapHandle 4324 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4315d28c-38ce-4a71-a0c3-cc5d8732e8c3} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" utility
    3⤵
    - Checks processor information in registry
    PID:1388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41576ef7-90e3-46f6-a751-5bee3a01bad5} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" tab
    3⤵
    PID:5480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25ea65d6-c772-4a51-8058-36959f9aade0} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" tab
    3⤵
    PID:5492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b72ff91c-55ea-4d99-877b-1867595bd4ac} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" tab
    3⤵
    PID:5504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6152 -childID 6 -isForBrowser -prefsHandle 3308 -prefMapHandle 3440 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dbe09d8-e603-4be2-991c-72925167a82d} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" tab
    3⤵
    PID:2940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3444 -childID 7 -isForBrowser -prefsHandle 5748 -prefMapHandle 5984 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2de2a8f7-6adf-403a-bce5-fddd17451b8c} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" tab
    3⤵
    PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\00023df7-6e29-435f-8ac8-a5175daee168.tmp

Filesize
391B

MD5
9dc479fd661486caf38cfe970da1dd0c

SHA1
9816cbff5bae124952e5f64a025916abd5c67d7e

SHA256
9d3a72c4743b3fbd2c77e1fb5a35671248de793d4a2c18aec8765630fa88b8ca

SHA512
6c2936b3aff330c63719b797cc2429b2fcd91d8647c4db32a04122fc64e55baedf823444896d7bb648a699de36d910f227ed68490498c713a7857ae366b5857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
bc2dfb44f8afda563ee26c5db782ef5c

SHA1
24510af81e801fdc51d62cd907c7007f3b052b7a

SHA256
5ef2084f5fb8cd2aed3f85162e8f2ba3d131c927de999872f055bed1197255db

SHA512
d528ea630c14751bbe050a5483ebe4d6d882e68fdcd9ab5c13b9d0e0c82acf9f22c097c862fdbe132f5b4124848f82e6b0a17d7281996640a4e7fe1b27d6e0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5889fd76b7662364f82e0d87ac0667ff

SHA1
115806ca3c81301c537c16914b9c7ce6f9414bd8

SHA256
d8d089bd05d7091d5fa7647e85890c6d437aaa8e873eee2e540c7b40b635d2ad

SHA512
35a4f78ff110e23cf05274d5d492af63833a595c05bb83e9bc4d202476d11c07692930f78c0cf62f23396e2809f994ce7cf8d49c4eed0aabb0081ccab017ed5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f61baca271b747830971bb5750e9749

SHA1
c76f57b537803b52ee6820fabc96348c02d90a88

SHA256
9d2a58e3073652d06290ce7b27ee2e619a8993dca3e6d91da0a069918d44edc1

SHA512
052a40ee7bd8d35b11a8db28d07df0f604efc354ffcad782fbf77d25b3e887ea17da82dab756364f68d0c27eb3fa5685829f64a2b5bd8f247b7057d68590fe24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b8303ae312c341d20989aed0e026e3aa

SHA1
2db8fa4dfaa9ddb2809725b48df94fb35b314bc3

SHA256
ab80130537dce9570555f2ac16f7681f347cb694c5db38bf206cfe327ed66100

SHA512
e28322e1fc84ef01fc06a512062165a9bac3e7d00dd81d00c8f80f4d2b842adea0a92ce9a529bb92bf68a375d38f87541381a115930048118d27d2afa0426086

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\AlternateServices.bin

Filesize
8KB

MD5
5d8b16331d8e3a6e88d1bd2d40b3232a

SHA1
8697777b044d149b83ee1d1fcfa82aa322987083

SHA256
0d2a4fadd2972f56cd1a913482e00467a2666f0962681e013f6d98b7a0e0abb1

SHA512
f1048c2434ca3ba496508011b68fcc371440e5255bc48fc66498c4cb572f6068207a5364ea920cdc702882c2495c4f0a5ad8a9a31386dbac5df9679afa0d6a66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\AlternateServices.bin

Filesize
12KB

MD5
e1b56ed4b8353b2471d386267248ff0c

SHA1
2f74107a2d290500aaf4fd43e915cda20f1959aa

SHA256
b542b6c580e93a78cfd309df35f761ff556b9871f439ebb8c85f876579e94927

SHA512
a196d58e829d47c62c14946b0d25d7a45376bff416c56943475b0a50ddc177f65f7e293919f2a800428f6d4b786adc20f1a788db4e12b27ae83c66332d93f6c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7789f7c028a270f56b2e8b0fb90a4c24

SHA1
47689d721c265da7583a552d2415c86e576a7f85

SHA256
cd05b7830258d613f8ebbe39141ad4b34883264168afb2bef9ea23df7b410352

SHA512
4db5fb2d7d70acd3d99636cc6464998f8813a99876ab53988b538470bee8f56285de17917dfb57a6ecf73ab09c9bd6b725d487c4ea7675b78c7509a650874e3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1a4bfeda8e7154f4811258c3cbfc00cb

SHA1
6ee928ae00eed30931e46a85eda8273ab8f8aceb

SHA256
dc723d2f19572ab2be411f4f241da3ebb1fb5bb43da3d098beeba46139a1078f

SHA512
454f07397cb284c08080bfeeb12299d9e797128e279b2f66bc1c1f6b703a38d766055ae4f2ff6f00bf8da0089b62c776a06c01fe119598f8d7ebcc9018331c80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
17fbf18e0e880bc7742a595546cabc5e

SHA1
68af94a2f60d9a7b788eb9bb7bfa90cd9befa7ee

SHA256
2b53013b6d78d5ab2d3d0cb8302905a424a921e25970b80255f5248c22856495

SHA512
415e91c7f92bcb788d53fa05557749f9294c855311b7f66091397801ac79ffc7e8218b553ad9d40475a448899b3c027d7c903abe81381d16423958608a2a8e95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\1f68ea00-de35-4692-a86c-eeecd15ea095

Filesize
982B

MD5
9a507b0f864fbcc9730d8d77c9416672

SHA1
bf5b8b348029ae01f21ecfbfc469e5df04fe41ce

SHA256
b14d20b984afedb9131a2a4cedb5d5c20bf9c4ab2e1e3101e7c4e087a264d439

SHA512
4310d5d691cde6633911bfbca23157a49f7680d32d57ac5f628f19f1c3bf565576549565e2151f9216c536b74b893a4f26f4d010cc2a7668c13fdc842fcd19bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\7e0d47a0-e2e2-4432-be3d-44c03c2229c4

Filesize
25KB

MD5
e0f3885f5563264dacee572a6b6ee6fd

SHA1
e7a3bd45e6744775f8edb85f336bde083cdb42f0

SHA256
c5c48bc2d841c718a4123f3168c08fb3aa3c385ad50759d89dfc0c51fae2cc01

SHA512
1def9a2e453ea33ff6d49fe0c16cfbfb9ba1f327e8e6d62fc2eea94436509452d2a63c2a7a7f16a79cf834cf019640ef7e6b571cb0d06a8d12545b4d82d2f470

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\7ef87113-aadd-446b-b8e3-9c37838fe664

Filesize
671B

MD5
9f8163f91eac70519688c1c53813ff31

SHA1
19fedb7a6f01614f9a408b0c6eac44632dba2934

SHA256
22d2b9313702eba97a5c5952844e8a844327f1ac0a82bd2f526c74455d8f411f

SHA512
587a0fff4a86e252a24e15db33d154f71ce66e0690eb901d2b9703fa666357a2a57e45036562035bfd95e19f762a24a59028b2bb6588c2910fa841098e1adc26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\prefs.js

Filesize
12KB

MD5
cee2535b5ee43f30a51c3e7c0045e8b8

SHA1
dc259e0f714aa30929817dcfa2d69e9dc5aa2ddc

SHA256
3632541b49bc39401ce62a57f581c5db06c4a7ec67d3ef5713fc4136533d2cef

SHA512
5c90a0c05d8b2fc04e39db95f897fbc7ab78c1f63dfc552c6b8f1106beffc9d0c784bd240a7519dfef368ceca9195c958aa0ee25425942b80c526a5efc2e992f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\prefs.js

Filesize
11KB

MD5
640c00442d75dfee6944a42fb9fc2b5d

SHA1
a511a683b8d4f84bb7e78cad81aec72ad149c53e

SHA256
c7888043dc13358efef20f0af942ac0a2c3689cd094bb9e2408e007bbcb7bd64

SHA512
3e0c8bd6fbf63e044364c9d93e0922caa43398d44d13fa967dacdefffdd764fc0ab66e8eddd54f9fff27932543c03203f8de942e7893b4e95edd0687c772797c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\prefs.js

Filesize
10KB

MD5
9822a1f2bd2bf96533671dfb8d495fa8

SHA1
93ff8050ac096726dd1ffb52eeb0db49b9d90964

SHA256
5058e33a6f2580dd9bc4a43bc4848b22be6243e8ccf76a0e7c22ac8dc333b255

SHA512
c555dbc08dfe57b462db9eda43c276a425518ab3d4fbb93da94401798248ffa14efd1cf0eb45f0e6288bf81bec5ac2b9fad783b7e78423dd4be3e823d744ddf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
825fb99076084bc35d14b145b902368d

SHA1
60f59d4bae583ab220696a14da2c9a903aa7f454

SHA256
ec6332ec1213bf8a77a704c80fbe2432a5da67dce19abcb3e13538f0f0a19fa5

SHA512
d2a00d4bc2463e8b9943944e1355feeb4222c503e907c624f09b9b8f25e5a9284f4be287188f2aee797fa8c7a5aab5dcadc02807e9f5deba6c8c79bc5fe7117c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
05b868c0b5f09de50511989499415efe

SHA1
ec6f706867972da1d9acef6899ecfd05d6994074

SHA256
dabf4e5264cb76093f66a0c4fe9f0a6a4fc7f966a426725b37160572cd3be614

SHA512
9a2d1b104124741ca19708640caf97eb4770eb688b21e70fb3e31bd8780a59ec9726f430b80eb9d8e41606d2c62c57c00bbb8566fe3e4db590c6feddec72789d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
dd8d568171925437c7455bfac2862f66

SHA1
90595702e565013a31a6ade0e060baaace00bc9e

SHA256
4c3a8adee749968688d65e10e52f71cb42bb6b72e0c9a80234541b189e380fef

SHA512
b1b4f95fbfa562de2b17b387823bb5546b39d1d053fdbec7db3be020e838673f3f2019b3aea3ec09f80267ca60ae255d1317abe8f65413d34b513758cb9374dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
368KB

MD5
0481f4840f6f16ecc538e077e172d448

SHA1
fa05d4b6f8470eefb676a09f9b3a5edcc56f0f15

SHA256
bf0a91593fd0524d121037981ab51a011fae641037fcc8a2815d0b66cc9e29cd

SHA512
2181685d0d7b258cd22d64e81ebc8ab5657e6898fda370d0c079bb7d041d760a4698f27eab9dba1d985db42d16f73dbfbbd78c52bc50462ad9d9053f7e30b73f

Download Submit
C:\Users\Admin\Downloads\Rat.zip

Filesize
445KB

MD5
45c36513b8d8c3f62547f05a54e976b4

SHA1
7b8dc1e116c191496f6ee817d0a02b7e449e534b

SHA256
4d2bcb62f9a7f0352b904bac389d1eb3ef363a9e975a281ed04227d7885a80fd

SHA512
7c54dadc83d7e38d2cc273fe963cf739de632549d1ef61aa1784fb0b5bea5175381de56c828c3f3d95d591572baee7f9ea8e34973fee0cbd3e80b956340a144f

Download Submit
C:\Users\Admin\Downloads\Rat.zip:Zone.Identifier

Filesize
150B

MD5
05e6854452613f20a0e03758041c2d60

SHA1
8728abe9ec682deafbbe31aa9f6dab118ba7782a

SHA256
dfa278380fd1ebb71db0c1e422b6d1d1cbdb61fd8820bc68b503ace6baf86b10

SHA512
aaf73fe15808f73d79edc78c5e19d530b367234c78d232bf5cecfb8b7d4b39d883ab7b30b35c3ff178aaff7d525fc08845e0f196ecdc369817185a34df31bbb5

Download Submit
C:\Users\Admin\Downloads\Rat\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\Rat\release\Client-built.exe

Filesize
78KB

MD5
08f0c07cd5403c3941a9a46489bf095b

SHA1
1b00de5827725e9d3a3765b0cc4b890ead834831

SHA256
1dff16bce7153b4f873910db5f407c785637a2b99e3351bba49fbfdd6aad1074

SHA512
67b26f97375912d3b286379f7803e928df1db6685c0fda51153d9763714d05e763ff9ff526754965427fe605a4261ec8089e454a441115ccd83a4140f999da41

Download Submit
memory/3340-201-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/3340-205-0x00000000084B0000-0x00000000085D2000-memory.dmp

Filesize
1.1MB

Download
memory/3340-204-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/3340-203-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/3340-202-0x0000000005D60000-0x0000000006306000-memory.dmp

Filesize
5.6MB

Download