discordrat | 84e7eedb49ebd49bff86478c263d762cee2ddf2e6978459c332ceeff5bcc35e5

Analysis

max time kernel
357s
max time network
363s
platform
windows10-2004_x64
resource
win10v2004-20240426-de
resource tags

arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows
submitted
16-05-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fivem free cheat.exe
Size

78KB
MD5

132c4cf7a8fd37e110b6fc2a95db89d5
SHA1

e72678f6ba27fc4f0e0fb10b2c6a27ae746f884c
SHA256

84e7eedb49ebd49bff86478c263d762cee2ddf2e6978459c332ceeff5bcc35e5
SHA512

163b788b3db777683ace74f4c966c5674712eb1fac9eecd0c384153b49425deb02f4f2a925fd8b327e512f06f46bae1171d036d6cf20e301a2df230ef9af82b1
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+GPIC:5Zv5PDwbjNrmAE+iIC

Score

10^/10

discordrat evasion persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MDcyOTAxNzg4ODUzODY1NA.G5rU91.u7EjqF3au1XeSZ31QdazSwNqM2h9lVjKcJ-rKU
server_id
1240729454771306547

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Disables Task Manager via registry modification
evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
32	discord.com
63	discord.com
66	discord.com
10	discord.com
12	discord.com
93	discord.com
163	discord.com
81	discord.com
173	discord.com
174	discord.com
52	discord.com
53	discord.com
80	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp91CB.tmp.png"	Fivem free cheat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2728	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5052	msedge.exe
5052	msedge.exe
2036	identity_helper.exe
2036	identity_helper.exe
3832	Fivem free cheat.exe
3832	Fivem free cheat.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	Fivem free cheat.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2728	3832	Fivem free cheat.exe	108
PID 3832 wrote to memory of 2728	3832	Fivem free cheat.exe	108
PID 5052 wrote to memory of 2944	5052	msedge.exe	112
PID 5052 wrote to memory of 2944	5052	msedge.exe	112
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 848	5052	msedge.exe	113
PID 5052 wrote to memory of 5004	5052	msedge.exe	114
PID 5052 wrote to memory of 5004	5052	msedge.exe	114
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115
PID 5052 wrote to memory of 2032	5052	msedge.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fivem free cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Fivem free cheat.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77Fivem free cheat.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Fivem free cheat.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
  2⤵
  PID:1308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2ab746f8,0x7ffc2ab74708,0x7ffc2ab74718
    3⤵
    PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc2ab746f8,0x7ffc2ab74708,0x7ffc2ab74718
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,11328127521369804233,14176077327291731645,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1464

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:4772

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
8448235b58d80a0b4e2cd902f808f571

SHA1
909eca0e1ec3fdbdb521279e829447bd4bb7e415

SHA256
6754fa31da9eae4900eff7171059c3243bdfae6bf376956bf37f7396dc2749e4

SHA512
fc4a02662ff6364114feab0b3c96f7bf17b5ec8d100afd96b0c6656867e24b6ad2267e5669929ddc5ba50693272f18b5b16872087c57be7f20a5ec0d1e933f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6e28b693d30d13e2e0ff198f4db9eb4e

SHA1
bcd0a3cd4696b10cc9441cf8a466d87578a55a5e

SHA256
26514bb660749b89a60d60b5923f6e8a800da11d8b3bc74f9b45bf003383cf0b

SHA512
4e3c730dc6a09b52c5918534f3382404e74904bbeeb9b4d57ca10275de408c8ff4cfb0f95970589f0bd0b9053f2da641cd0435b7629e04e7ae8bfd54a864a146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c6064ae6f9cad1a6255ddd84ef46960

SHA1
794140e163c77cab549341ceaf6cb39bdee4b297

SHA256
06b2a8bd1eb6dda183fcc91aa06618897ee0139b6659ab09825fc250ce8576d7

SHA512
c8d9eb93b0a0852f725dd3f5e89d844cc5fe4b5e1130c7ccbd2bcd507e95fec97c25dc1f453a599479e010b6de0e10773ff062d0da45568c8d4f694dddec8a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f4da980dcee33ab52af36b364d6dfb6

SHA1
1ec62d3d69c1151b3e2c535d7e3bb728776ac8ae

SHA256
702470494addc3b01cd85d3848d34b0f9b9008d14a80606f6a129c02befc790e

SHA512
af49b041b68c396e375a2337911296f4ae7a0befffb744c35d839f5567cff50acba8c045044752eac8382394719ec6245f1fec9f8eb76d54f55cd88aedc69552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e7031a232837d7cd29263984fdecdb05

SHA1
a72575c237d5feeb6970ea836b9b550b97e4c1c7

SHA256
290530d2d5f5438eb21230b7fdfd9cdab455477fba9b2b002670a322afcd0803

SHA512
47e61f004448e68d1cc3618f841d989fb4ac898b75dfeb707a8dcbd67a1a74ae291b01b337bfc92f72c78aafc1ad0bbdd134c6e50156dead46e57e8636dc05eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f1f365177219c7740185bf91f779b3ac

SHA1
cbd6e3593a0de94b48ca22568961ad694092c35d

SHA256
d7441279faff4337e1f2783e26a32e40a5f4ab848eb64f9f62b93b1de5f885c5

SHA512
33d2f545b4d26bc89104ab7055276f0da49ae344b33528b705c467f76151a5cbbb40ddd147b2a701372b7084fc5891a99e2f3075a45e9bb62e11ea6d494877ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8ed9bb0b7d4249d8d016977a3b5d288b

SHA1
ab2274cc14ac5871f01fdf1e285f8db8a4a2a173

SHA256
8a931125c317aa503bf9e65e1a763e9ed567e7633bdb3034ca863c3c3b8735d2

SHA512
f089859f1a94ff9f264cbdec1d5f614f9a803860c0758a8cbd4d866c32e61be89e90ad5130cb843133cc40341dcc3db158799a41b7940af3d55c943a1cc6f886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
492563aeb55de82b936798160a5aaf50

SHA1
2d1bf06b1687a422aaaa2224e45a5cf8238dbd14

SHA256
dca2269b28536e0f2847295b71aebc74cd10404d27f350321b1331bf2d2305e9

SHA512
237e32feb3acc023899ce8dcdcfca1fbc3e76b021e6b16a1d75eaff1fb6e8bdb1c4f3948730267bfd0fc57fec4cba9dde3f46195e6501478bebe430bf6e88c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b9de2.TMP

Filesize
48B

MD5
84cede5411b8271fdb17eb05f948aa41

SHA1
ddb30e62f4cd45f6ef0804e6dbb7f525af4630b0

SHA256
49e57b83db4f2a9ea3033c52740618684eefd35afcb5b4cc20d3ad71f3f4c16a

SHA512
aed9f8fcdc9229cf94ccca27e7e735167d97d0514457cb59da5261605f6c91bd8336ad09276ea87d1652c2780e2c0f113f7990c05b8cb9a6f88a32d9e7abf007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
56fe5560b03555c06fae583f02a35df7

SHA1
ef27f5d9b292044a36a71b763b8d8e34e7d61ebe

SHA256
bb10360211211c1a5a48ea9b1768fe9c468f4d5a1f86cdd62e711d81ebd843fe

SHA512
42cb86d265e43637000526943beaf391a67afc73d1868ed2573bf92df5ee37e18bd375ff00eec9af3be564dafe894ce8c05909adab7f5cfa2e4e84d599684b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b74a0.TMP

Filesize
871B

MD5
b360fb3910af79fb70d556d7734b68a5

SHA1
f37508852625a4ddc81ee0dbc186bf71fdafe927

SHA256
69ca85fcfb38daa719da5ebf2f25bbb7e380d782c5c7b12c161f6dede9465124

SHA512
a0adfa52bbadbdf7152093765191107cb8307e32f660923c9c25c4853e15e639add2b67f21f9a186a5b90b03a0e27b693cfe946e2617328760f919b2bf960025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2877bf2daec9461e7426ce8cf68ed6e5

SHA1
af3f08ec1d38bf25eb0a43c6d24dc438634915f5

SHA256
df5efbe905eba260e335235f9796da43ab10776437b460b976ba7ae910261553

SHA512
4df6768cbc4b9c1d1a966e49831e41209f7348e11d3620efd4fcc94b957cb0e2e4a78d851b0db18004fa2b05065239220d01e2247d33fc0dc3c49016ac3100f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63cb910678428101c6e7248354eebb6c

SHA1
8e48d02920ebebef55085f8c97ec674f6e7969dc

SHA256
ed4c306b7af91640d5105be86d7396589f37c346d89a6377136871016b2d41a6

SHA512
6eae740cfd3ee287602b0702885d1d7563d98de979ad049033e25aa38ce97db2771533fe37e72c06d9cf1f3c20ce49fb48e2482a9f98278ede3046aae73f5ff8

Download Submit
memory/3832-7-0x00007FFC2E573000-0x00007FFC2E575000-memory.dmp

Filesize
8KB

Download
memory/3832-3-0x0000023AB5A00000-0x0000023AB5A42000-memory.dmp

Filesize
264KB

Download
memory/3832-1-0x00007FFC2E573000-0x00007FFC2E575000-memory.dmp

Filesize
8KB

Download
memory/3832-4-0x00007FFC2E570000-0x00007FFC2F031000-memory.dmp

Filesize
10.8MB

Download
memory/3832-5-0x0000023AD04D0000-0x0000023AD09F8000-memory.dmp

Filesize
5.2MB

Download
memory/3832-2-0x0000023ACFC60000-0x0000023ACFE22000-memory.dmp

Filesize
1.8MB

Download
memory/3832-6-0x0000023AD00B0000-0x0000023AD01B4000-memory.dmp

Filesize
1.0MB

Download
memory/3832-8-0x00007FFC2E570000-0x00007FFC2F031000-memory.dmp

Filesize
10.8MB

Download
memory/3832-0-0x0000023AB55E0000-0x0000023AB55F8000-memory.dmp

Filesize
96KB

Download