discordrat | hxxps://mega[.]nz/file/Ky4mGDpZ#FQTjNUuvGvFHkH39S3ruxLsvrxzxC7k47FRvb4uBFuc

Analysis

max time kernel
192s
max time network
196s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-02-2025 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/Ky4mGDpZ#FQTjNUuvGvFHkH39S3ruxLsvrxzxC7k47FRvb4uBFuc

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNDk3MDA4MzA2MzM2NTY3Mw.GODXM0.2JGKZS8VnAxE5jwa12dVBtqgxX8XbmpDGJYfz0
server_id
1334971060784730215

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
1644	bu1lder.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
30	discord.com
73	discord.com
75	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\bu1lder.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 826089.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Discord-RAT-2.0-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\bu1lder.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
788	msedge.exe
788	msedge.exe
872	identity_helper.exe
872	identity_helper.exe
5820	msedge.exe
5820	msedge.exe
5220	msedge.exe
5220	msedge.exe
1960	msedge.exe
1960	msedge.exe
2468	msedge.exe
2468	msedge.exe
2468	msedge.exe
2468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	5900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5900	AUDIODG.EXE
Token: SeDebugPrivilege	1644	bu1lder.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3604	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 5340	788	msedge.exe	77
PID 788 wrote to memory of 5340	788	msedge.exe	77
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 1932	788	msedge.exe	78
PID 788 wrote to memory of 4868	788	msedge.exe	79
PID 788 wrote to memory of 4868	788	msedge.exe	79
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80
PID 788 wrote to memory of 904	788	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/Ky4mGDpZ#FQTjNUuvGvFHkH39S3ruxLsvrxzxC7k47FRvb4uBFuc
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc69d23cb8,0x7ffc69d23cc8,0x7ffc69d23cd8
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7112 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4676 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4574104532322889048,486561948846491927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4628

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Users\Admin\Downloads\fdsfsdfds\bu1lder.exe
"C:\Users\Admin\Downloads\fdsfsdfds\bu1lder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
111KB

MD5
feea7b57f53874e27b4b5789dbc217ae

SHA1
c4bcae7c87443f06a1ffbaf35699c087a436424f

SHA256
c3a3624308b0e8f27b0e159d011c856199fcfd68e7cdfc30fa9da85510e8de68

SHA512
9ae646000f0abe6af8f786417abd2e7ec863110d8e7793bc648d1acf517c508e545964db211b628e0acfe82d30f37185329e2562e61f5a6188b7d5623bc0846e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
25KB

MD5
e580283a2015072bac6b880355fe117e

SHA1
0c0f3ca89e1a9da80cd5f536130ce5da3ad64bfe

SHA256
be8b1b612f207b673b1b031a7c67f8e2421d57a305bebf11d94f1c6e47d569ee

SHA512
65903ba8657d145cc3bbe37f5688b803ee03dd8ff8da23b587f64acaa793eaea52fcb6e8c0ec5032e0e3a2faacc917406ada179706182ce757d1c02979986dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
20KB

MD5
d8e280973cc708c5ab15f393bc63396a

SHA1
e5ed496d8bcd7b16832c2412f5610de426529ce8

SHA256
95498d8a14b76949c4c3adc70aa7e5583e2f57ad2c0a49e6b631aff2d9a3cd06

SHA512
7b62d75d904710845244f8707e7e15f3f98dac46a2dea848c69080d2bc24d137ea136f3b03c22605cc46e66e3ef40c8562f19a0a2002379c5012111f767ce773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
21KB

MD5
d141a6f6f1f714737b9121b00fc34f8c

SHA1
a151b8ae9b99e23d2a264e97f38e0fcce2e9ba4b

SHA256
e83fabb2fb694dcd82143d1f67e23b46caf85a50fef6c178d9ea38a0809f4e3c

SHA512
b2d7a92848a9aefb245783ea0d142d3fe987b551eaee0e37f68070775dfc35866c295702da092fbf266a273755036228f26cf6090414e2325fdc2d06047e5f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
37KB

MD5
9fc4f3c0ec97d39f8a936972c9caed48

SHA1
a9546ee2354cdff39f10fb32cc9495745c14a875

SHA256
9e86376f729620fd1970d3931cba62626108e41f6962e6b84a13bd8c0bd641b5

SHA512
6e1cd676423da9bc7aa523ab56b45f0343721bcd859fb0e7b0061ff940f27a5db6119e5dde37d397e189177ab80444d38091a31d0e6c354840d083bf1bbf8445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
26KB

MD5
525579bebb76f28a5731e8606e80014c

SHA1
73b822370d96e8420a4cdeef1c40ed78a847d8b4

SHA256
f38998984e6b19271846322441f439e231836622e746a2f6577a8848e5eed503

SHA512
18219147fca7306220b6e8231ff85ebeb409c5cc512adff65c04437d0f99582751ccb24b531bbedf21f981c6955c044074a4405702c3a4fae3b9bf435018cc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
18KB

MD5
8eb86590ca5b589e6d3f5e70463e320b

SHA1
0ea23b0afdb96b7841dcdc3ae7b670603cccbd4d

SHA256
fa6110d56d214ae00a4c1b32499ada72a82777f59bc7b5e8cb4851a9d2ef56e4

SHA512
aab24f0b1a810de82251a11d6f22a593354c09387b3667185e6caa726b414885a3bd4f1bfec7166bf63d9e092184f5a6fefabfc9edf1e4b849f57699e20ad9f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
59KB

MD5
9a71bbdd476e3b8ef91169df36d7bf5d

SHA1
172bd29a81079ba3b282fc0ae70fb5f3e4ddfe6a

SHA256
2b1d023f768835fad32f403c205fe70d44fef5c888cc284e7afa8c3b79bcd708

SHA512
068326f03850345b3200798fddfc82dbf5f8459b1b79e20135c9c2a1045223c10088d83a0fb8fa498a3d80d8673b1f56de3b01ab3fe625926fd642c6782d73d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
43KB

MD5
31923e5e9eae03f9326cc960c336b269

SHA1
f28c63f99dcb3da394aba7886b4d4d40f4254bf2

SHA256
fb9150637a228ad1d7d7cdd7b48a35f077f95335c4540035c8d574422feb10b0

SHA512
51febd30bb7d5f65be8f795380cdcf4528360b23e388a61aa9b17ba15da7373024134583316d0447af5502c5cc9f12d6e2960a14b9047df6b66d6a323edcfc41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
55KB

MD5
c649e6cc75cd77864686cfd918842a19

SHA1
86ee00041481009c794cd3ae0e8784df6432e5ec

SHA256
f451a4a37826390ab4ea966706292ee7dd41039d1bedc882cbc8392734535393

SHA512
e9e779870071fe309bbde9b6a278d9627c7f2402b55ac4c0a48c65b1de5172cf9dad2992f8619d7e7aaf978e6ccd607620de88554aa963f3d45501913ed49f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
108KB

MD5
d78913ec94c74c8f7b9917ea8d8e7c5f

SHA1
b75dc5cf1fbcd90c59adaeb0a66bed203fa17a46

SHA256
0fc8cd712751d7f0704be9138524456fb825a6beb4f13e08ff5feec14b482d86

SHA512
d17d858361f6e763c2b473fd1271a1cc605d546e456e428f90e0bfd649ba3da38c7097953064fc4e03b5349b4c8804b84fb2425cf4a62b9950e7be9f1bab123d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
16KB

MD5
d539b638dd41263e8839511369cd2dba

SHA1
7ed0b62369946be27b368bfeaf75d571afd2197f

SHA256
5e18ecc847567b103979c7c5b3f6fe65737c6a6f2a9cc7a87b902fa2d4497e35

SHA512
b8b03f7291855db66ce3c9fe4f37efef7a613c975d11e12e3b3e2b02504907081760df49f2a5124795b75f7b4d2f1601ac6492e903908ca0fc0ce7b0931b1ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
28KB

MD5
127002092616e052f1950014bc24d00a

SHA1
68f9259fe6bd073a891552ff4f6401640a60a702

SHA256
c60ad690958707fdc0108a0e352132c944e67a90fa7f0581a79b725582b92b3b

SHA512
f39c0358054fb44329cac15e69b4e689e4447fe8bf92e95b1c6cd697c35f2c8da44eea26a623df19f55dedac5fe799e39aede171be7d6d9c344f559263793667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f25dc5ed80fb205380e2a9b3adf94ed9

SHA1
494b6efd6b986650b450dcecd99db7221d442381

SHA256
e9404c5ed4480c9b8d1df66e2e02a0d0cf90f3a948b257583e72be9ea6730e92

SHA512
c86ddb2b50e291993e3f4179804aa361935675f6ee35b20183740787edc7d797b29c6bf854ec4f237b1e1640b7b3efbea5df359cf1e6b9f7981ed6a1dff4e5c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
c4e115c112b16f7d5da6916f6ee60908

SHA1
d7843e49b7def4c590f1c4af41ce769588e58fba

SHA256
33e093525b94029e71f70cadb7ba17abcf0af274bfe9ea4129717e13a1808d11

SHA512
6fd569abdf35dc3154781526905fc14207b60ca0ebef0b1db783aed1e5ace13b4b46bb2aef115e8f6a9c33865b1c2e65187c3ee6e70d3e20fde264dcc4314b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cf6c7d7ccefe526ec6cb435a468c2655

SHA1
36c6e2128668ef5c0134f0b2232b14f55751079b

SHA256
5cb9c645a2f61086547885e1b4e14e3f598f8fdb6df62084ca6b4f651b8de907

SHA512
a4beb80c5369c0cec43527c66078d1150c1711488560756a74c01ea6769ff3fcd158c099913755af6d6dd660e9df610836993a7d7b4de27637b7b255badaa4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c927275e722cac0a50f5a65921cf5014

SHA1
9dc3b87cecb3977cf0235c00a47d447c9270fc5d

SHA256
3a93747262d2ea93280778b728761b8c552a516d2cae1996ce096abf1e876e83

SHA512
c801821551db935a43c6493e6ea769dd11dbf92e583f39938e3142d3b2a2806583cafd9c2e810f0a0b53a2c85c2398b0eb041024ab43f3fdcbd931801269a109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
78d476a54d6fa8942387e7ecf154635e

SHA1
abf0fd8004d88b3f855d102755f651db25446703

SHA256
4d9649f981cd68778f67631b9c317c42c6b7d01ff4982266d641da67faf8eb04

SHA512
0a0855a8f0aec3a1faa6dd1a0092551c172ee8545bd9eee3c92d4725b4a440223fa84a4def6a0cfecc284a9cc40ae5ab3cfb3d475972b7c59939d264f499eaa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4bb1a824dcbb57cd6ee3260695249696

SHA1
1d272584fbacca44b9f1ac461920bdd2c7a035e1

SHA256
427dbbfdad874316791ab99da0c20bfe076ad8a65d457daeabf7f431b87457c9

SHA512
5cb7f2f8d70e9ae3be2625e0b736ae6b915a68e6c257e812aec52ae359407fce8153efb88cf0b161520c7179937bbe2eac1721ceb97f5a20521ca49bf82db1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f86cec2c919a5ab8043b83af67235a34

SHA1
d343e61d37af770980377fb9106a104b9ad1a44f

SHA256
0a62b2eeece180bd08071e6546197c86959f005105e090fa84229cdd10c5df4b

SHA512
fd082fefc2e442d5e3ff1156d2dfd4bfc2f377784e3e9884131d2d571a8e44681ed389165f47b3629bae97ec022871b06b7fdbb43348dd3e87143a2d58ad2d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d14f10c9bed3e0b561e96cb33be658f3

SHA1
0c886002f5ac98d4afd9cd6241d4138e5260545f

SHA256
2088b5be9d6e2602e46db08711317e6d913ca4dec86a8dd69a8d36db97b17a22

SHA512
ee5de6d6782349e0a8955b7e94d23dff3755c1f4d5d1dd6a634b3584cda9d53937228a6129e6ca26ae1197f381a4c6e7978501cffafe28599cd5838ff8c73846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c9d720a88287a210868b6c31e2e72117

SHA1
7b84a6bf5ab201fff4bee07592a94b84bd070cd9

SHA256
9a9219471784673ecb4abd084ba3a21a466415a119da627f3eb189e3e3a201aa

SHA512
2d25def8eae01e9a48ba360e92f1f3bea1483f1091ee4bbd403685991351e55f036fea12287c49fbb3b9bc43a511900ccd08be108652e80dfb93f83ba83f52fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
375a7a0365895a5157da1f59bdadc18b

SHA1
456f75c74776e4e7cfd6fabe0557863a2c51c79e

SHA256
ae3c3c0a4c640bf35ba45549608e2a75f987a37139eb426cba26703dcc2c7cd4

SHA512
c1d7b2c9975792c53a83249c9a68e1481350ec52aa9acaeb46ad61bb95fe45a31c95ec8ce38c850215e98e746218e50e4c61b3ca434bc1029cf26e4b09a4b8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c833466e4fbd45022d295166b58ec5ce

SHA1
d6ee23718c8d902dfc5fd60aa01077518d8b25a5

SHA256
eeb9d14fab65d69a56e7ebe9289362e9abc056d1c57af8d2a37e299099361f0d

SHA512
b7e320775bd9a0f0ac65834131c402dae9cfc89ba3d9b6dd95819738519f44b8e6de99be37f0b8270a0544720d6b10b5d845dcc354e5612b21641699e8a658a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b858b3f8250330cdc09cf18d28d538db

SHA1
e194ba0fb62948366937c8318710830a3f231dbb

SHA256
b322c63f17e8fb8ef3263b7a0e95175f9ba00ef0a0127c5d5cb087cde171bfc5

SHA512
c420519177deebc94ea267747edfa39212893a543a077a0d05f57b20d1a3174e1365bf7466b4d08dea3b4691ddc7038597c0716684d75cd97df957adbd97c5a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
77ad1204bfb43742d242aa34540ed762

SHA1
c1db896b5d51e822fe75b77d05f2b20360c058a9

SHA256
0411d1837867f9ffd348f53f09b3ed2da8d0ffcb3aa7c3f93af3be04046bf788

SHA512
eda57bc1a171ef064d12919489f3f1e326045f85d54526c5ec08663d192ae234a729f043547ac0ef19293483e3fd52dbf4d928dc531e43927292bc2dc71e9188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f211.TMP

Filesize
48B

MD5
8a2c2b6b583712ae25126a6606122eb5

SHA1
135c97d368e329e84b31fd17fe2fb210ef4550d4

SHA256
fd27090d41c6d25339f14ef55b0448dc70ac11b7fdb7ce5cb348e0a730c32062

SHA512
d2176c5ed9ae62150b3e39e42d6091ff288aac3bfbf4057eeefc7184275a3790cb5349916b29abacae7b2bd70883bab32753c0c2b0a958f611c6f3845f9d5ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8abd049bc7c3a5ee68bd4ffcfa5e75cf

SHA1
5d179d3c35123556b231fc9946faca35757ba4c5

SHA256
4543194d36abf625d860a8f1c3592f9f487d670b76637b11955e284ad74ab479

SHA512
2697ef58513ff5948b173eedc7d2b67fd3e3194130ec0cfa8bb937daf8dbc0cd42d60260062cb73a6b9f7f4bb621d497fa84b1457e66bec8a821076eadf8f33e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
334841b6eea33c5ee3c7954536c7f162

SHA1
e501867455b45b8cae2117e132214bdb444bb866

SHA256
89f3bfd0e2e5b525f4b07756dd15b6c32aec359aac88018c3c3bf937c97a8242

SHA512
be01c3a7278ab90d5b00f4e2f2ef997aa9d7b68d1dd07aa35611afb56a11209d5dd766fe8409c2da7c681caffe1c40a309e8cfaf2d05381fab2c3a398b98fc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8364e119e26ade463da5e7abcd70fe15

SHA1
964fc48aa8340b6eb19099fb624c7bec071362b2

SHA256
194f802bd93383c5cd6191eaf50842ef8a4a73cea0adeb122d8db6db448cd9fe

SHA512
92271da79c3c9016c6684f5bef20efeac2f48d39de4052339f14df60915e39b8ba2f6f42359329df2a13d5eae22450ef241d6a432f74fd9b20080c473adec5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
233e87bae52c854179b4cc29505c56ad

SHA1
40efbc9eb7b4d2d7063d7ef6d035f683348137a3

SHA256
31a298d2646855d6e6a94ab1d232c26f78f12d83f336c80cfb9efd30065deadc

SHA512
c8c4342de812dcd7c5bc038cb3aaccdce4802e892551b4a37d549c9d6a589b933944250436de8c87ddcca10b39444cc0c9bdba451d1ff71fc7720a019829e954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
41aa62b00e5c55bf06841f20c0ce143a

SHA1
b5e5c8807cdc56b26d2fe9046d07bf4ebd5c6d1e

SHA256
66ab16460ab2f8d991eaad9c268945c7f93a6b9c4e1bc2c34589e52efb450048

SHA512
78e4995bc1ee633a48ab9930931af3284d8d6a38094d052e5aea18ceaca58243b48e11d4a73a5324381f246837bfa5140ef1bd46303fb9d9ecaf722e62b30db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9e38cb548e7922cbc7cd82a79ab8b9c5

SHA1
4a098e15d88aa65272ffedb6014b18a18d6303ee

SHA256
3acf4b5c5f7c4a3abfc13090a13d4e729e4da3419fd2b869edba60faa5d06e19

SHA512
34813546459ebe324a37147826fed0c61ee151af3e4f9cd16c6ceb6f76d80075f4c5991ed04fd48758f7ec501091fb4f6e06001d41fb5befe882408da2b217b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581c1e.TMP

Filesize
203B

MD5
6672bb96b607ca6c8f07f1c90768a32e

SHA1
f2e68955c52f8f627ec0fb9a2502a854c762f086

SHA256
e13deaee0eaa6bb542aa38d459357b314dd648470942b3ea0724850f3a49fa25

SHA512
64516b5c0054920c3df3cce99046ab872747d64e348fca41db5be5e7d9a53c18db221cf69b2d7e99e7cd3ebae5419f0374dc3f95a6c228e09d7e3ee4e7a7ca57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec0d709cf2d1b15cfe4e2ae3454cfacf

SHA1
57dd2570d48643911e4fc23d0cf3271f87dc8e50

SHA256
423515657ec699496b395a0decfb7c28e862ac2128b3e781d9a501be242cb051

SHA512
f8c9b55029d328f1f95285928cf6f1d70e76b297ce454a4dcabe687ba36f8acabef94b6b05faafadd43a42d66bfb8f73b32a12c8f471009e2cd6fae790e9a856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
116e43bfea084a1786bd131222fa2661

SHA1
1a47de19b266ec20eb6640dfeaa664c07da1fd3b

SHA256
48c2c562b50cabc8ee2b330bdfff620c2b002b8844722976348b5a3a3fec63dc

SHA512
47498ad35523eca709d3f6d43d7ddfb9bb8eab07263ed54dc1a18d739b35a05b2723f6644c25f58f45928b885e502fd1c5ef3d88e1f45356ff97a43a7ebab173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
efbde93072467c5483a067b51be4fe57

SHA1
642c38f80ec4dc562336d1f368ff67e295db489b

SHA256
d92a129c72fba2d090e600dff0df7ad060f851f3e5f97b405be1c9080b88f2e3

SHA512
ac14c1530615b2f0f24bee270c5432dc9c629bb2dfb3628692240a19722a8865e9b48cd7bc59cbf99bc02b01edbca88dbb4032055eae9fd411a15217992571f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c246394366de4f27781bdd3d9c314788

SHA1
ada6ee5dfd7e7e058edc2e73949f43966b721c18

SHA256
32054e0bbc30e188a9a49a5e4092104b45eae1204dc8227ed0d8c4126ff06d3e

SHA512
2978f7737bfe86b79d847401a9f52fc6ea2f654be773aca9acdb7460f1b0f36973e7980af8e89b6996331d537c593e6ce565b698c7770c28c96c6837869aa49b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
069c37bf9e39b121efb7a28ece933aee

SHA1
eaef2e55b66e543a14a6780c23bb83fe60f2f04d

SHA256
485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

SHA512
f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

Download Submit
C:\Users\Admin\Downloads\Discord-RAT-2.0-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 542733.crdownload

Filesize
12.1MB

MD5
017e28cd77905a0bd918d7e725632a2a

SHA1
d709e343f64d93ab00c6fc0aa4ae6ab22aec9f73

SHA256
c8de0e92e603214114f8800dd99ecf8cb69ac85caf8010a99ba3f66afe70fcbf

SHA512
0ae6f1dea994d879043b0ef63049cdbd68dd7671b1df53f3688e91a7027dde8de6d193bafeb12f4c6b7f97909d116f06811a29d13c56ada2c774e78dcc5f1a16

Download Submit
C:\Users\Admin\Downloads\bu1lder.exe

Filesize
78KB

MD5
f771ae72e641f077055338dc96de19ce

SHA1
5eb2e307ea6393934ec5cd60ee596d7149f3991b

SHA256
c067b3cd472264f87b2b27953615a1e96309367b34e787669fda646375823920

SHA512
ea384aa477b09927bdf7086fc4e5831918420b818dbb3e54e540b95848c136b60d30fec84c13a67e4243154823f8144e4b3754469ff49cd481b53d07872db69f

Download Submit
C:\Users\Admin\Downloads\bu1lder.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/1644-1146-0x0000023A16F80000-0x0000023A16F98000-memory.dmp

Filesize
96KB

Download
memory/1644-1147-0x0000023A31690000-0x0000023A31852000-memory.dmp

Filesize
1.8MB

Download
memory/1644-1148-0x0000023A31E90000-0x0000023A323B8000-memory.dmp

Filesize
5.2MB

Download