discordrat | hxxps://anonymfile[.]com/JE5kR/ratbuilder-by-enwyry[.]rar

Analysis

max time kernel
170s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2025 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonymfile.com/JE5kR/ratbuilder-by-enwyry.rar

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM0MjgyOTkzMTY3OTQ1MzIzNA.GEUSy2.AYN39NwyTEaJ3kT771kPNScewvwkxumVvIts08
server_id
1342829779400786014

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 2 IoCs

pid	Process
412	builder.exe
4180	RATbuilder by @enwyry.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
552	msedge.exe
552	msedge.exe
4436	msedge.exe
4436	msedge.exe
4608	identity_helper.exe
4608	identity_helper.exe
3604	msedge.exe
3604	msedge.exe
1772	msedge.exe
1772	msedge.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	4776	7zG.exe
Token: 35	4776	7zG.exe
Token: SeSecurityPrivilege	4776	7zG.exe
Token: SeSecurityPrivilege	4776	7zG.exe
Token: SeRestorePrivilege	3108	7zG.exe
Token: 35	3108	7zG.exe
Token: SeSecurityPrivilege	3108	7zG.exe
Token: SeSecurityPrivilege	3108	7zG.exe
Token: SeDebugPrivilege	3492	taskmgr.exe
Token: SeSystemProfilePrivilege	3492	taskmgr.exe
Token: SeCreateGlobalPrivilege	3492	taskmgr.exe
Token: SeDebugPrivilege	4180	RATbuilder by @enwyry.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4776	7zG.exe
3108	7zG.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe
3492	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2728	OpenWith.exe
2728	OpenWith.exe
2728	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3100	4436	msedge.exe	87
PID 4436 wrote to memory of 3100	4436	msedge.exe	87
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 2424	4436	msedge.exe	88
PID 4436 wrote to memory of 552	4436	msedge.exe	89
PID 4436 wrote to memory of 552	4436	msedge.exe	89
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90
PID 4436 wrote to memory of 5092	4436	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://anonymfile.com/JE5kR/ratbuilder-by-enwyry.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff39fa46f8,0x7fff39fa4708,0x7fff39fa4718
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1252 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,14070572412104212520,5835928054773194180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\babb\" -an -ai#7zMap29941:110:7zEvent14515
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4776

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\babb\" -an -ai#7zMap24463:82:7zEvent31881
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3108

C:\Users\Admin\Desktop\babb\builder.exe
"C:\Users\Admin\Desktop\babb\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:412

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3492

C:\Users\Admin\Desktop\babb\RATbuilder by @enwyry.exe
"C:\Users\Admin\Desktop\babb\RATbuilder by @enwyry.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b5cfebecbfd715cf1c2e86aaba6753c

SHA1
c2d783bdd82fcfb68e8d566bcd34ead327ed7c13

SHA256
6fca1fe2a780fb27f0493353a73b9ae02e9671b51a50b07566a322abe3b25cbf

SHA512
b6ba779a8bb083a12f7f100c4c338d5902f2e2762654f70fb578dae4c0dccba1c7eec4cb0b5cbc1d8567fbb02624a077fe9f60573dbd12b78da4e5ae618a751f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a690d53f0215760186aa07b114ac4561

SHA1
601015b3d5837e99e481db0dcdb0ea33fa80cefc

SHA256
8ee92ce70ce780b9af998d760d7226892a37c4a7ca5bddfaaaa5da016dbedd93

SHA512
935db7966c0c541b2894b83af14586dfffe138a2a18dc60bfd9d076fb724410841b5536261a090ce57525f8a7dc25e4bc3b133fce61569beebf4efb126607a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
151751fbf2c3c5734a4183ee5bb0d78e

SHA1
b91b1ad69f3919ee4ab7fcdd898cb7d13cd39894

SHA256
9ec10befec0d690ed488ad34a5d5ffb10f7599b6e5d13a536af81d36cecf4aee

SHA512
77734ffe74fad65927a9f442eecf0a6803c5cca6dd92e657442c0745772b4511cc39448b940ce3b491fd1d700c2e4dd313d54f4402e3a800d7eb4a75b067cc9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3ad195ca42d80dbc3392fad6e13dec72

SHA1
122f8e093676888dbf4f8cdbd414c4d6cbfbe0b6

SHA256
1afcf85f420dba1080625309f829dc83932bb29e29f86574f0a019a61059e35c

SHA512
4e84f368bed4c714b6fa007e751508dd23ad19f89acaba14963ee44adcf994f78093ed246d368eb1f82b361289c0e3c45253c57d33822625ce59a028c13f6c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
b0ea5e8bdba40c08c0db49d8f1fb84c1

SHA1
43e9c1ce54c2eca894489ca82f323770d32c7d55

SHA256
d0e00a73bb09b6aac0ed3e76959133d3bcca1c3057a05936470c8077a7a01622

SHA512
50eb3930c455d4607322f6f774a2385a808a9b7245f68a170b2b3ddd61fc7941971db47c316a7cd544a1c76062c83e81df574bc9032b37dbd86d4d565347767b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
777f9360c3edf598b8bc71ec6fd86f8c

SHA1
19c10142fdaf4ac35a1e57744df21be5cfe15b76

SHA256
22931ee9c8233c8bd5d35082dd2bc39bf83e8de844124fa546bc634571b995e0

SHA512
8e1c8ff1ceee265f416f801d73d9a715206362011f36a13a622ab8ded0359fb2447e9b956d8bec31eaa93b362b1dc19eadd8f838ae432f4dc0be788043f264c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
873b9b9604b94024fc3dadca0fa2b183

SHA1
11be7819df2ae1d99d44305f3cbe0dc9f2ebdc4d

SHA256
6d83118457f840630f02a5264a00a601235461e0da22164177ed277b6fa51491

SHA512
a6e8b4546b772da90422fdf62381de618a0a7e745e0bb126799b0d7eada98444a84981b3b14204402315a987fd44197e6269c7da7d11f8ab741627a5332be588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
318d322f2f4df80a94cd7e616a561c51

SHA1
557dd8a0b5419d4f650abcbbef7d04b24dd00fac

SHA256
9b73199f9694e2e7e630d1ea6b39e423372ea008582132e4dcfce603f67683c0

SHA512
a6d8f3c7346a5041ed7ad58d4f27092096b47250917079ceb1700eb755397fa694a7ee692de1c478c1d813e79db52b776f41aae0593135440672a34ba2392220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f726e909c98e2c33ee48a4445cb5ec14

SHA1
b6cb9597d730d7106b06411f08ba1d77dfb63499

SHA256
cf9088fb18a0a7355c1b2d3736652b90263840119303250d1b3c59435a655b4b

SHA512
7ed57b75d61f4ce8741973463f0170c5b9322db1c3e1589885744c7c1feba7ba6c9e0781c2fdd46e4471e14737e77e6655989bfde9e39f683f77541ba3a38550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
540b090797fa8c382135930e465263ad

SHA1
c0d5fac44901f3078bb53011d358e61dc0589bb5

SHA256
c9b82142027e20bc04ab67351d2eeadfdd0f4d71bd275d8ea2b805381e8f44ea

SHA512
b413a681e7b8e3db9fcdbfbf53a0286bae1409c4cbb28f62b8ac73f1a93ed56f77f68ae1d47ddacb61e7cb1f128c6206cf4c81a746d1c9cdd726dd0b2e6888c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
828fe1aaad1ece284bd53003d208e76b

SHA1
112a3e88f445cdbff0ad145c7008343317af1459

SHA256
6c9619f5bd7cd18349965ebb38e4a62b1e8233b5468bfa2234cd0d5445fed6c2

SHA512
b33bc6d7e90a503f95d5cba020964196082acd8913e4a18b6bdbb7562f04b9f900b46035f354aff2f42ce90630739ef1e8587ddc2224077d97447139687ae1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a304fd8ed836570f682de86519758999

SHA1
d9fe2eb2601a352e55a0be8c36afa544eb9864a1

SHA256
a533523547a531c93943b6125ba6dfbb7499144f8a56934a16a9972a396c0ffe

SHA512
18d68b471cc948e0aec2c38e6dda9bab016e3ae38f70e95ce8c7d6b8c4b4818f813d3257eb1a96c3bc80bbf4e3954546760676eb0b23038425f32c75b4e18703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b3bdffd9f1a7f06708aa1235256f9a0b

SHA1
5cee6cae58918aa0b9945eeb1b75e339e8fda9ed

SHA256
53c0cc114a91fb249ef6ee853bf68df443fcee79a0345c4bb080479d43382bd4

SHA512
e3bbcfbc6e023181ea904575af8512fc7f1dd9bdef428b711cdbb830df2225705e51dc4d116f8169e8f85a5e38e751f9e9232ecf48b41f9e6bfc214e78579f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9ac7d64ba533facf33c12b2972d57175

SHA1
0ebaf3c94cc3e9b9b02d7547a09bb717a947fdb3

SHA256
3a40027ca447bdbc4a277cc817c600cb359e26ff350c7bacf4c87e8b35f556a2

SHA512
96c4f83e1963bc4f6367b8916a97c8185cdbd9e33dcc89a541f1688103296226c017c84e3e41fbaff1ed197563871183f620562a02f1f0bcdee117247a878e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b5f0c34d70834a35d10eaee1a4ca6a91

SHA1
f2b92d13b718db97c03a1fb8b8a6a1387ec909f2

SHA256
12b4b8ab14ab3c436a3908fd174f7f522a141159c02954d1ccad923a2c22931b

SHA512
85209b5d21c39015f7c1d01349b61d99b6fc6b2aaeafe7c05d41d42f521777d1f33093b74953fc1fe243e06364100953c48f1bb21eebb347ba8c2a67de00d613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b177c9078a6b68d8baef80bbd9752930

SHA1
286fd8e1e78c2bbeb762da477228687e9b8d5950

SHA256
55c67058b557de4e4cf203e23b701d82cc62b0cd5948741221c543b0bb02878e

SHA512
92aa54553e01c734800b6072725c575032d3fa5367c9ab88ad0fc76eb266f19091b510ab1320ced1514cddfd3606f0e100d4dee15709fb3bfc2e107bd51c88a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1e5741ab21ed74c896b38350ae4e05e8

SHA1
1ab941c280e33db0bca38222a0a9d0f0a4e86b36

SHA256
c0ec38804daa520844bf9b14e701760ff6506849e4741b6f09d66d29bd54af94

SHA512
9e0ad44c2465d308cdf65c4ccb35b08b9ce6980f58580a5d4d40e16ddcbdf76353218310395b4b1fe20ff52b8d11097823a83f261efd14f24664d7fe265d232f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
65c239589a5458b65cd89d8a9766d47f

SHA1
c501712b8629cbd6ce390fad925dcdbaab3ca4e8

SHA256
2585318e27245bf0de1154c8e587929394c5d4d6b0ff3cc3c5a51972a48b1738

SHA512
1581f198f2de289f7020e704088697a1313d3f952570930b2a495459e6257db16c704d53a5e9ebe76b79cca44eaf4b9a664aa42cc1b777207859902ea6b6376f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d4cf.TMP

Filesize
874B

MD5
81cc50e764a3e799fd918755c26476a6

SHA1
64283e63733dd513026d2fdb36cbea24e5a2f828

SHA256
ef182d46f2b1d251397399a06753b554e754398bcbc6c39862cc0d07934d7f44

SHA512
2dba0290a1758b8f0caff648259117f0de5384886f358143200229846c69ef8d7291ed073f98b6f0ede61346ca53d48ab5d469b581a07835f5b1895b13bd1ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c2d33d018bc9b11eb3efa249d4738dd6

SHA1
83c21f8720c6e758aca334eebc7d5eb55d57bc54

SHA256
c5678f2d84b4c42dfbf1d8a320068a18e4960fbe4de40538295983d2928ede39

SHA512
6899aad62a9c5411048783e214210b2e748858edfe64a34944e524caeb217f0fc6d7f099aa73075db62909318a881d497b09f2605ea1db23f5c84c1a8f1a161c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
704da10eeb188e929138312bc001e897

SHA1
a812fd8642d4ea3f6200f131ace9876c9d642f71

SHA256
7011526872c1a3bb6e058228c280998466e3bdc58300124845e37d8135454027

SHA512
0eb80194f61aaa842ad9421b2b0bf47e1226a78c8bed092b5d9556fcfdf5540fec18ead9637df1d3f6d41f0371609f5afca8222b67a85ca3cf2d9ea925b97665

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
4d563092288bc3c439528f4851b915a5

SHA1
e491d5d7af1528930dcacfbee76698eacdc6e8d9

SHA256
75403ee7678030ba8e12cb4c1dcfc5dfdfdc969dfc6c545839e792f851a3b441

SHA512
240f2d17c51d7c1b8f376ef4814d4b9ec723506b0c03793573f5f5041e21beed08d161b1c8e5bcd5ff3cac42d4e4a743b4122572f5d1cd988dbbe440339857d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
0970986de8bf177efddb776d91b6563d

SHA1
ad02b88a02e4ae155f5432e5e851cbf268fa3125

SHA256
e1cef510492ec40835f3c51e251a3670d6579af29a7a4c1fc95e18b39d4af051

SHA512
c5a7f3a6ed48e401bab0faf59b072dad3360c9dfbe92ab04cef0616f605df30c9ad37db2c018215b44583b53a1f1e77e6cfad79caad3dba1edc6b06ae50063ca

Download Submit
C:\Users\Admin\Desktop\babb\RATbuilder by @enwyry.exe

Filesize
78KB

MD5
4ee5b6379b4a86d00d0b9a80e766a3e9

SHA1
839bf27c98e2d7bb6bf2ba7b574206730c6bb394

SHA256
41446f07753c008bad3eb239b5b7a8d40a46897dd0470ccd32d6b326cdbf95f4

SHA512
600d0e22e4913dfc5128dcfea1ce64c5fb6fcaf7e2ebbe432b9fe021b3a5fd95cc86391fd238db005b14a09ad65e9e55ef2903a433a6ed5371008913d0a43cf7

Download Submit
C:\Users\Admin\Desktop\babb\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Downloads\RATbuilder by @enwyry.rar

Filesize
26KB

MD5
09c8653eb4397d70e1f82af8d7f42272

SHA1
f38d9d369e6a890de96fa2bf56ef33590405246c

SHA256
652bc64c73599f00d451788cd89aa0f4862f23ac4e465d3d2ba68c7eddb94a0d

SHA512
c8181d3f00ca285782ceeab700919d1ba5d7d96d134cf373636f8d1cd469e799e671c879364dafcc5bdcf22089300fbaed760122246549eaded06ccda56a2e16

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
memory/412-691-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/412-692-0x0000000005060000-0x0000000005604000-memory.dmp

Filesize
5.6MB

Download
memory/412-693-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/412-694-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/3492-697-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-696-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-705-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-708-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-707-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-706-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-704-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-702-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-703-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/3492-698-0x00000207AB180000-0x00000207AB181000-memory.dmp

Filesize
4KB

Download
memory/4180-711-0x00000237FCFF0000-0x00000237FD008000-memory.dmp

Filesize
96KB

Download
memory/4180-712-0x00000237FF650000-0x00000237FF812000-memory.dmp

Filesize
1.8MB

Download
memory/4180-713-0x0000023798000000-0x0000023798528000-memory.dmp

Filesize
5.2MB

Download