discordrat | 134bc640e8cc14d6c30f91407a8c812a63319072343bbf8a6bc2aaf3a902d44b

Analysis

max time kernel
709s
max time network
722s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 04:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Wave.exe
Size

505KB
MD5

634012a39686513995ecbbaf04235a0a
SHA1

6204df4370ed114bde2caac305f96b1954e68504
SHA256

134bc640e8cc14d6c30f91407a8c812a63319072343bbf8a6bc2aaf3a902d44b
SHA512

b8881eb85dc001d4c256a60dbc141592f89ffded8f90d2240c80d6af6468a34e1ac52e288170c0296cf1afe735e7ef7da6a4738adcfc253fded53c7c56ebe002
SSDEEP

12288:TyveQB/fTHIGaPkKEYzURNAwbAg8ox4CA9ndmc:TuDXTIGaPhEYzUzA0qV9nkc

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NDI4MDkwNjYzODc1Mzg2Mw.GB5zNE.lgu4CSBwMUVxaeb6e0u9sFYW6gLtr8IglmywhI
server_id
1189676766084735048

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Wave.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Wave.exe
Executes dropped EXE 1 IoCs

Processes:

Client-built.exe

pid process

2624 Client-built.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe

pid	process
2624	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

Processes:

flow	ioc
72	discord.com
141	discord.com
149	discord.com
27	discord.com
151	discord.com
186	discord.com
189	discord.com
31	discord.com
136	discord.com
148	discord.com
137	discord.com
138	discord.com
184	discord.com
188	discord.com
26	discord.com
71	discord.com
134	discord.com
65	discord.com
66	discord.com
135	discord.com
140	discord.com
152	discord.com
181	raw.githubusercontent.com
182	raw.githubusercontent.com
185	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1764	msedge.exe
1764	msedge.exe
4800	msedge.exe
4800	msedge.exe
4072	identity_helper.exe
4072	identity_helper.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4800 msedge.exe
4800 msedge.exe
4800 msedge.exe
4800 msedge.exe
4800 msedge.exe
4800 msedge.exe
4800 msedge.exe
4800 msedge.exe
4800 msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Client-built.exe

description	pid	process
Token: SeDebugPrivilege	2624	Client-built.exe
Token: SeDebugPrivilege	2624	Client-built.exe
Token: SeShutdownPrivilege	2624	Client-built.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Wave.exeClient-built.exemsedge.exe

description	pid	process	target process
PID 3028 wrote to memory of 2624	3028	Wave.exe	Client-built.exe
PID 3028 wrote to memory of 2624	3028	Wave.exe	Client-built.exe
PID 2624 wrote to memory of 4800	2624	Client-built.exe	msedge.exe
PID 2624 wrote to memory of 4800	2624	Client-built.exe	msedge.exe
PID 4800 wrote to memory of 2712	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2712	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 2572	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 1764	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 1764	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 628	4800	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd15a946f8,0x7ffd15a94708,0x7ffd15a94718
      4⤵
      PID:2712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
      4⤵
      PID:2572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
      4⤵
      PID:628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:1588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
      4⤵
      PID:2000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
      4⤵
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:3760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
      4⤵
      PID:1668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
      4⤵
      PID:1384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,536746929315192092,2901091995543470662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1376 /prefetch:1
      4⤵
      PID:3472
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.nigga.com/
    3⤵
    PID:3172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd15a946f8,0x7ffd15a94708,0x7ffd15a94718
      4⤵
      PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ef7a39db2fc95a4626687d91acc26dec

SHA1
65fa1e0201259956b70ffef3c080953412c10bf6

SHA256
827b6e014694d6e78615e410b35f6a2723f00d17a5d270651a50245a2a0a1cae

SHA512
237be71155991e940dea1df54ae754c4e7a81f4a15a3c43520046264447b5783af27f5930de7be534d36450a15844e04a1f22aafcc86866235a12e08fe757f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
5d8dcd601f4145b8deaab2b330a512bb

SHA1
324d71079b2fe8c0fa8aea367a33d17419b2036f

SHA256
667ee8864a86b0b1dfcdda9ba31e1e914cd5f154f74295ed14eb5f73f9df959c

SHA512
26436d5c7a4dec81e2db574297fda549c1e0fa9f345a216f10aad5cf99c82eb41d46d7175abd52ade5f111c4b29d2c46b5dcad4ea90c0cf2fd531ecb2ecd1cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ba69041246ea47f6d0cd4ca3dc3bbd3b

SHA1
55097ab8da22337351980c0f88148852d193dede

SHA256
00dfd65c5b0b38e35cba85fb9b409ce57d817d07d28c0db173cfb3520229fb43

SHA512
d896868b4718f78cbc6ced5520575f33a422ed552cd3d2c3df0f623e93d4aaa77b654c28b64176ee149f480e0380fabb753848220c86bb710a1b64840aa054b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
29457d7e731ec61862b15b268eec994f

SHA1
a33bfa2c0391ce06d836000c88c488e6276409b2

SHA256
42fae6386995c3cb51a27e5322d805f85c4ac8e80e8ff1df3aa12e49e34a18b2

SHA512
f403fe8da19f017700a742b3c3e1351a8a044a6eeef872f7e9d01062046f94f76df6e7e62dcab6982d8db42b3be0e15513121f46e0684b5d94e837b583481adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1292020a88b5d706537629dd97ec6613

SHA1
690e0eb0286396c8003b77e504ec195cffd90cff

SHA256
ecff9b71250ebfef5c2a4f595fbc17c0e0fd6c605d7a812075d97575d8fe29f8

SHA512
4fee436500a42f5f0c92c59794a256217d92777c83fec3ffa7457b99074f7de0e09984c8e71fb53fdc32c9e3226d00f2a14713466017877102001f10da732bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
22874698fa1034c79104ce623d15c3fd

SHA1
a42079a61c938d5378549b1c40d7d634da21a1be

SHA256
e44a15fe6865945a12e08e2c04a8f7c79b23649bab2fb4e0b27f09246f6882dd

SHA512
f326c9654aba12bfd1380827b2b535833b0cd4ea3c3b505fae47449629336ea49cf1e0a2ac1191abc74b1439843bf445cf21760ec86b846c7e117b58eebbe542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1ae7949b15d7d77f7eefdd8a150a1085

SHA1
bd71460790d611943fa765a1da2f3f95971c1256

SHA256
dfd46e6a13d459f987bf7b9b13e3774e9cec2fdcd245a4ea2e962ed3d1df15e6

SHA512
aed58be25bdbe8cf766e91fdc15bcaa1765d3068a9a784fdb570f1863c4048479247adfd745c133ce25a08414f4b7788de66775e473175e4935a3020a8855803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2562f6590264785ffbf0364801f35c8

SHA1
1638ea313af16d97a57cf6ba82999b09782203cf

SHA256
08589f3ebebbdcfb8e1310e1921fdf6b7b19fe05522d95efe5b25c5ec5fdfe97

SHA512
91c9b1b0380523ff8c86834a2754917591f43619dee879d12de4d87c0c96827b5c00f5b8dc01b62f7466091adaf9550057d747384329afcfe8fbfb4de2a77e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ca34715a2a18c0a78969aec76f10244a

SHA1
3fc5503fdcec051efda799c859bd88e4e63c296c

SHA256
686272a6ea5167ca55dbb512967aee51f57e47ef6bc82807db0bb1396a6ba26d

SHA512
0334e5f9fff039849804478429f36fbddaabc1a2c501e24b1ca1e9d0011350bf4e33d6212d2c7f02ef3c1c184a0d38aea1e81f636d34b686e3900061c01f5fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c0b52.TMP

Filesize
48B

MD5
e605ef81e10fd80d3283f5919da75cb2

SHA1
9144266f244a65de0d345991be0d87cd3f599f20

SHA256
522b3703bde5921b8c43038342d419016186a5240da4a521cd69167fbc46303d

SHA512
b64aa70ef393d7f1a02bc52faa5ddc0b1c30dbcee11dfd5dd7b0e4fcfc98516fd700c8931d25c49e0adacaa66004c1c7999d01b248e043e2a3b94b1c9db200dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
43646b2cd14316a203badf1febaf5a65

SHA1
f72ede77927af1c2848c92d30d629e1e2bb087cd

SHA256
d70236f59cfc8b6c2dcb84c18a89c261c932c4dbd730c75737777ffb54ba84ba

SHA512
27425f6e2f7829add586faa271dd9e0d02cc191a0089c64faa7d375bf6945c2410cb9a2adce7854de50808d2d217dd8ef702d97414218b1bca57c81554c7e978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
52d4a2bfdd46ecefc879c09d03d6ab98

SHA1
e4dd9b38746155e23cb6431d10933447ca0810f1

SHA256
2954657396d29e2e33be846b14792115f9bc4fbb1e0e3cb4e54dbcf0b5d6660e

SHA512
56904c1cff3adcc683b15351f8388ff7bbf81997ee9a04e173bda18674d0db10aaeb2adc6d3b5fa3f3d4ed0c6cb9ba5207fd6500bb87440849cabe4b171b0ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5f51a3.TMP

Filesize
537B

MD5
8c4e1ef7413ddf684af8bbb1bb4a4ffc

SHA1
c06dc1c5a6b7c598dab28999d9e6c9c017b0fe8e

SHA256
9cc60f09b16f32f89f333bd4712fb6eb0d02f20f9bbde535b520a800c9a7d63b

SHA512
02832fe39aae3cdb588c3bff04f6dad8213d782a2b6d3998a0278b3acb80b60a07f0540c211c151794379a8fe74a0857be1d3689ac3fbcd2654584c10658c860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
054ae62c3cfeba8b86827cb09dc24507

SHA1
e1ff443ac259876b97aa52eca41b56222429d6ae

SHA256
0a8993cd10b80614c79dfe715a33ac4a1fd989685a5bb79311ca1b6743be7040

SHA512
a6356e8bc528cc210ba8431523bcadc7effae248709ee46e0b776815427c9bb60c872ad718be83c20a592a15adeaadb621aa3d779d6deee9de93b355627f57b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
c2207566970ad0379a62da59e3c4caff

SHA1
59759d884744c5c025fe800a0b86b63555f7bfe9

SHA256
61247d55a049a1a16833a6be90b50ceef20340db7b31181b07d95cbc345dd1ba

SHA512
2b6a2684c1a5db78fc1080c26b7263bb5c04eb760d142369cd4d987b35ff9fd76092fe3ceae0633f26f98a12b4d1b5b4aca7071a7022d22d264237dbf1a488bc

Download Submit
\??\pipe\LOCAL\crashpad_4800_XIBAMNRDOGQMGFJK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2624-19-0x00007FFD053D3000-0x00007FFD053D5000-memory.dmp

Filesize
8KB

Download
memory/2624-15-0x00007FFD053D0000-0x00007FFD05E91000-memory.dmp

Filesize
10.8MB

Download
memory/2624-16-0x0000021659FD0000-0x000002165A4F8000-memory.dmp

Filesize
5.2MB

Download
memory/2624-17-0x0000021659AA0000-0x0000021659B48000-memory.dmp

Filesize
672KB

Download
memory/2624-14-0x00000216597D0000-0x0000021659992000-memory.dmp

Filesize
1.8MB

Download
memory/2624-20-0x00007FFD053D0000-0x00007FFD05E91000-memory.dmp

Filesize
10.8MB

Download
memory/2624-13-0x000002163F100000-0x000002163F118000-memory.dmp

Filesize
96KB

Download
memory/2624-427-0x000002165ACA0000-0x000002165AD16000-memory.dmp

Filesize
472KB

Download
memory/2624-429-0x0000021640F10000-0x0000021640F22000-memory.dmp

Filesize
72KB

Download
memory/2624-430-0x0000021659FA0000-0x0000021659FBE000-memory.dmp

Filesize
120KB

Download
memory/2624-12-0x00007FFD053D3000-0x00007FFD053D5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads