discordrat | hxxps://mega[.]nz/folder/AeMzGRyZ#xTt-KzNRdV527KKpj7dHuQ

Analysis

max time kernel
1039s
max time network
1041s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/AeMzGRyZ#xTt-KzNRdV527KKpj7dHuQ

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Executes dropped EXE 1 IoCs

Processes:

Discord rat.exe

pid process

2096 Discord rat.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Discord rat.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
2096	Discord rat.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Discord rat.exe:Zone.Identifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\release (1) (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 389965.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Discord rat.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\release (1).zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
664	msedge.exe
664	msedge.exe
4424	msedge.exe
4424	msedge.exe
1692	msedge.exe
1692	msedge.exe
852	identity_helper.exe
852	identity_helper.exe
3420	msedge.exe
3420	msedge.exe
4324	msedge.exe
4324	msedge.exe
4888	msedge.exe
4888	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AUDIODG.EXEDiscord rat.exeDiscord rat.exeDiscord rat.exeDiscord rat.exeDiscord rat.exe

description	pid	process
Token: 33	5096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5096	AUDIODG.EXE
Token: SeDebugPrivilege	2096	Discord rat.exe
Token: SeDebugPrivilege	4296	Discord rat.exe
Token: SeDebugPrivilege	5048	Discord rat.exe
Token: SeDebugPrivilege	2112	Discord rat.exe
Token: SeDebugPrivilege	904	Discord rat.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exe

pid	process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4424 wrote to memory of 4580	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4580	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 4280	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 664	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 664	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe
PID 4424 wrote to memory of 3512	4424	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/AeMzGRyZ#xTt-KzNRdV527KKpj7dHuQ
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb92293cb8,0x7ffb92293cc8,0x7ffb92293cd8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Users\Admin\Downloads\Discord rat.exe
  "C:\Users\Admin\Downloads\Discord rat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5676 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4256138603113673223,10900527932947502211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:4392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\Temp1_release (1) (1).zip\release (1)\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_release (1) (1).zip\release (1)\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\Downloads\release (1) (1)\release (1)\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release (1) (1)\release (1)\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Users\Admin\Downloads\release (1) (1)\release (1)\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release (1) (1)\release (1)\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Users\Admin\Downloads\release (1) (1)\release (1)\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release (1) (1)\release (1)\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
127KB

MD5
910a5caeb7ee2b893e8476489fb5c376

SHA1
d0251760e7eb684c1c0f286f63d8176cf62ed495

SHA256
38a54e3600eab92156893c7e944863310ff34f62f34c264013adf115f14bdc3f

SHA512
c709f03c6d08bcdfd5ce05e3a122fa8a9fbab73ececffcced80fb5d54bd5e3766ebcbaf0b6e0532f42fa06b8f671811273c4362f0d4fa82f013239ed85e71dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
4b4ccc68283ba4718d4195e59fbbe594

SHA1
697f1830a461c6e3524e9ee220ded53fbc6c0caf

SHA256
9ea1823c3de4af315b8b23d0170f0b20a4bac1062884ffe24ae233cea0bda252

SHA512
f7b534875ef790f2a09c98e1a94511bb93cbb6fca05a0e8cf7f146d69fd900cf92880a32c0b94d513bd40ad141395872eb4915cdf761898dc29ed57cbfecf5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9950e16ac592f19877db55fa410b7078

SHA1
adf124b678dca0730daa3962002a38e28889a4ee

SHA256
6fe80b23e975f7f6ff7d270bbec2b1e01325e51045c63c2a2b84cd4fd37f62ae

SHA512
db85991cae3c77211a77ff744c729bca94e44886ec700d8f154a50dd12eeef56bfa3a7ac08c9cbf5203e7a0f9298a64387742d55d3bcb96bd95adb2447ee3e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cd10839f47d1d972a7bff0b0c0b31636

SHA1
f8a4ae0ce84cc0c91e93438eff38a885d2c1696b

SHA256
356de0966f08b54a557e9d28b0a636b16b0ea35a8e45f126578c9e2dcd18ab79

SHA512
aa4c7eca1dedb2c5e6632b5d35b087198a178ec49af2553846fc27193b522025334b628356ad3838da2d9163c715883a8f027bcf6af2ed6f8b3125df4444cb7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
873B

MD5
7911ef935b34b003891261192de6a42d

SHA1
7d8ad320fbc39cd524dc01d3caf936d293dc0b83

SHA256
84cadad052016df79f920fa6929192fbf03923ecdd69ecd0707b86c844e9c86e

SHA512
2fed1131a75391fe35001d5a62782cf0250a56214d20cfbd507e986a6523ba67244dac046994e05c0f4ea2d61a9664869b480b01f3797469ba56a10ce61e26e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b3a2a3c9ec183469b1752bfbb8c24955

SHA1
a3d46ce1e0e04bac5d3d4a81d18395a93fac6e6a

SHA256
f78ca50d80632c8f220ca8a4931a7e74126facdb5b06a6aae8d646119f29b174

SHA512
736df95a69aaeee2163204d2b7a80bc7d8706adf0f229c88845df4e78b93bb015d4ee15aacc7e6971cc2d984d0c16cdffc44ae8d3e34fc69b11c0a65a9eaf268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8f0970b688122a14f8b71955cc97edd

SHA1
264763dac22729910b87bf0ae5ce5f75f64f5a6c

SHA256
f37c3f0a974911b813c9a5c65741e881ebeec572d8c020b015882411a08b645f

SHA512
cbc3c25f8dc3ba697fadd5eeb4dd5f2eaf47397058982a358e3a8456aaa3477c669b958c582a3375c4048fa4b696ba6ce36402d002a0d6ed9ab0a73b2ca09ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20bd512f4e9493f20299485c3f246c9a

SHA1
7f09b79b7d6ac8e593e63003f518f83edbbecf65

SHA256
ea6b56171759e38799965d628bca52a1d601ee0bdb2024830dbf280f17495392

SHA512
2a0b6b2cc7a729d3869732bc0a89f8e252bbde5f82f549af735f949c563a7101b9edd929defe0de8e843eb243dc579a3673619866e6ad5b8cf2aa64bebf13364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12157cc1495965e20f74b3f92e7c9f98

SHA1
13c38fa4c3f19d0b520ac386b872dc8be3928a1a

SHA256
a0a6d6cf02e823d4fdc8faf52017f6b6d40946bde30cf86f9240f6a49ee61383

SHA512
4b0c35ddc61db30bb07af16ca546d9e3bd5d4c54a790278a97a514ce7caae235800b90884e1981f0ea92d1fbfa384c307f61d9efb55258b0a3403441b4ce50b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3de7f9717e49a073ce8fea2ca61a8961

SHA1
b534974309a76d27283070baaf1cfa2581123494

SHA256
1380c397e6570b10f4ed269c2c87f214535a5de3e904d2468548b2321f092dcb

SHA512
805fe3e12127a60d1ee69a1fcbc50cd087e1bd6f261759c7dcc28804c56de84f87768dd4c39ec9daee485114e5315325f7736a5e24e11ccf810972b4f9be94d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c198c4d277de619cc6a93085e61fbb3

SHA1
0d96cdce1417439d0ea6963ab225bfcd1e8bcc32

SHA256
f9db69dab8f3fe161777b95948ae8f6a92147dcdff1c942cffe309f2661198a1

SHA512
3cbcacff396b96fc5e776cd3ea72bc5dc6924d6086e49ece055867d7fc3bc2f0795367c6918acdc0590efd2fad0a7d095de0e78df6effe734009077794d7713c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
728b8d59818141839dc7b177bed47f1a

SHA1
14f860633f553b06cdd398150f94d2e3792937f8

SHA256
92b2bf5c4977e6e61e3d7c1db34b714fe6f4d225f157d6bfc33d34c580abdb0c

SHA512
7efde10c44d2c2292c0e284b7e3ac5d6006bfde05cf7cf2911e54918bcb755b69d787e735c3883875c2a5fa4b887d22c567e735cc96290be89b9724f63de4654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0042d6157b26cf9c6b4ca363c70c5b65

SHA1
4ec8f9af05959784745cc64b3591300f77bd6821

SHA256
03e8013e2f11b5eed91278973840e701ef10d8826cee10c25b5c2d4fc8d9dbef

SHA512
aa0360321e5bcaeb62b1592a41ad9ecca2e10dfd398c0695e4de07691501680285e1465cc85c6a7eea38c34999d7273a4429bee5c5615ebf38b633eb60004fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad668023a4f6c6c20e88566efd74cfd3

SHA1
0de8f554550a99167b126182ca99644acd0f7e86

SHA256
6d70bd588ffada5d5487fb79ad486e03a2c8d7ee74ff3ab9b3fc7773df253832

SHA512
86a41e1226a51a8359f50a82769f53e1c5fadba6ba5fdb3ac5ee5677993a5fbd39945886b6e44e46eee749c768475b212bdbcd57b16342e124ef4eef3c45eb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
836fc059285515834c30cafd18b2d16a

SHA1
e41bde655d99aee276ffdd1bd53b91717f2fbf08

SHA256
196b874af8f960f1739231310f22305256c115e29cbd9a88834ef9277dcf609d

SHA512
1ea8b080212a63c22f5b0cee7cb3176cd9afcc8403964528b639fe214827b9e1956ec01dd711275936d8293626a77883d8f3a5b33e385bfc54dcbb1303d6bfcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9fecaedaeddbd6be8aaf2dcd9180fc80

SHA1
1bf9073b18b6d9c47f3fcb5085345de890bed76f

SHA256
c3ebaf06ea3a7bd1ebfbdff7787990c0639269c83a9dd25cf348a70528e8de2e

SHA512
c7cd43630cb416cc2808144d0564f4da9a36a1a582fa97f7af3074794ec05093f004e3f4bd4956c9974625acc6cf8290300b52120d30666a3dadd7238beeded8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581642.TMP

Filesize
48B

MD5
215cb80bbce2d743af18543bd5f58e53

SHA1
c5a2e2cd7834ef91b9458881aa2c98a5b2f8c7d2

SHA256
9f2fec383607a2668235a4cb391f5e5393a110d65578cd9821a2a044fa59b855

SHA512
660fd1c459eddcbd2ac31f1e40c679849fe7af846fd26242308256a4ce5d3d37189c1c70200943537574fe8a6ec0e85b451972aa6829a5bc3a1b3019d07dd011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
decffa0c84157ad3a6593c66a5b67b4d

SHA1
76d10e2997a4b2dc36705e95804b7e2a11712274

SHA256
3532740c35f7788882406e6b92556d7b7ff5787eaeab175a74a7969121fae7af

SHA512
c48e659b47b4d57dab62edbc7da34db0f31212ec15e6c2e298b9e370155990e9ce2a43c2485274d9319b5bd15867ce9d2165249dae921d57c5021ce9bc3c794f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a3896.TMP

Filesize
203B

MD5
b4078c72c5ad2a616c5852d088ca0dcb

SHA1
41b6ae016c59c55e7b44d21654dd08a655e6dccc

SHA256
02344f9af19a22747f147351d2b568a8468b6dc917bb13e16b1e4821e121edfc

SHA512
25ca30253421d786868c76d92c31df18ba78c3bebd75b9f066f2268cf63fdf1490b86154f07e64385491868fd335f54d14117c41bbddaa17984869edf49ab7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d4179c939d084c4abaef78c31b920274

SHA1
57e74974390b836e2d5587a7dc2de5a19eb9f135

SHA256
a85ace287ad9efd3cf294390fe3d58185dae87185185da280852d89ddf81f7a9

SHA512
1c5b22e72472a58e3dbd86dcb554e8b06a750b18b1a87254f25965b1ae4e3d062a93dd1547ea505a7c9efad797e28eeab2c3440e556264ad2ba3b9a3c1aee36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85c2b40d1bf326df89e9bc24dd244edb

SHA1
37ca9501364c856f54940d16607401bfead58219

SHA256
480f88cc83c901f22b6897a1b228ca7a9d1baeba561110f41c26e9c00eb3d6df

SHA512
333cd420d29fc72524bce02f2daecedbaffb70dc5c401c3369b8c837566e26512ca6cfefd5aee435b9633010f7e421bab6d61794542f0d9479a62f953f11e092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4bbbdac07a97a7c8b3d8887ef851506e

SHA1
4b95b08dfae756436cfe76db7c4bf097e0ec1b9d

SHA256
9e096167311932fc2cfdd816d6a450f4b9fd8559887f0b5570bcbd252bfbf1bf

SHA512
9aeadc38589d9ace3a397f81b0cf5e3ea36e2058f1ef4d67cb4cd563c3b5c82288a06310a2c752f9d233cfce9648a22170f6c1cb253428472bc5335aeee25af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3ee2d8f0308f175381435527b24a3ef

SHA1
a4fb7a3e5dc192b78b3176e525b30694907ed74b

SHA256
f819d2f944dbd6cee642e184320f1a544588a41dc76931db331483d75879302c

SHA512
0155cfaf94febd100bf5a2f51ceef6192b8f44ec44760be71f3070f77061930399f6b3a472c3d4430a179c4305fa4f6666cb68898068a869d445b3a8d6e7e4bb

Download Submit
C:\Users\Admin\Downloads\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
C:\Users\Admin\Downloads\Discord rat.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 360172.crdownload

Filesize
1.3MB

MD5
3a378db186cf3385383e5e3e7d901fcc

SHA1
75c5722c2ef463f3b7a48eb6a127fca9e71c96bf

SHA256
3e55c371f9eeaeca2c1045b263b4ce4ab0bc6cd8b09a48bbfbc8358ef0d37dee

SHA512
f9d908dd73d334283c9324993e5ab4c05bdc857ca054d5c562c9f0c0036d1c5bd09f3edccdd7c906a1514c367592d9cc1cb735bef86cf40dedf571dec2beac85

Download Submit
\??\pipe\LOCAL\crashpad_4424_QBAUOCFOKIPEJKBT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2096-271-0x0000014E76DF0000-0x0000014E77318000-memory.dmp

Filesize
5.2MB

Download
memory/2096-270-0x0000014E764A0000-0x0000014E76662000-memory.dmp

Filesize
1.8MB

Download
memory/2096-269-0x0000014E73DB0000-0x0000014E73DC8000-memory.dmp

Filesize
96KB

Download