discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1254334525543288915/1254336947875217519/solarabootstraper[.]exe?ex=667bc2d0&is=667a7150&hm=9e37d9feda8ac823db279851a858c2d999a629b641924f99d34c335af2ab7d6e&

Analysis

max time kernel
41s
max time network
54s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 16:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1254334525543288915/1254336947875217519/solarabootstraper.exe?ex=667bc2d0&is=667a7150&hm=9e37d9feda8ac823db279851a858c2d999a629b641924f99d34c335af2ab7d6e&

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzOTEzMTk4MTc4NzI5OTkxMg.G2PouQ.rmLVRC29c13dyUDlcJhFL4MtNpJCMM3OTOmuyI
server_id
1254334525543288912

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

solarabootstraper.exetest.exe

pid process

3668 solarabootstraper.exe
940 test.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

22 discord.com
23 discord.com
24 discord.com
2 discord.com
19 discord.com
21 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3668	solarabootstraper.exe
940	test.exe

flow	ioc
22	discord.com
23	discord.com
24	discord.com
2	discord.com
19	discord.com
21	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 182637.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\solarabootstraper.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

SCHTASKS.exe

pid process

1712 SCHTASKS.exe

pid	process
1712	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3388	msedge.exe
3388	msedge.exe
1604	msedge.exe
1604	msedge.exe
1336	identity_helper.exe
1336	identity_helper.exe
2912	msedge.exe
2912	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1604 msedge.exe
1604 msedge.exe
1604 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 940 test.exe
Token: SeShutdownPrivilege 940 test.exe

description	pid	process
Token: SeDebugPrivilege	940	test.exe
Token: SeShutdownPrivilege	940	test.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1604 wrote to memory of 3596	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3596	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3788	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3388	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3388	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 3444	1604	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1254334525543288915/1254336947875217519/solarabootstraper.exe?ex=667bc2d0&is=667a7150&hm=9e37d9feda8ac823db279851a858c2d999a629b641924f99d34c335af2ab7d6e&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80f013cb8,0x7ff80f013cc8,0x7ff80f013cd8
2⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
2⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 /prefetch:8
2⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1808,2750101162689822614,2211953320382719245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4372

C:\Users\Admin\Downloads\solarabootstraper.exe
"C:\Users\Admin\Downloads\solarabootstraper.exe"
1⤵
- Executes dropped EXE
PID:3668

C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77test.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe'" /sc onlogon /rl HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3a2dabb54ea9b4f4517881e92dd77b63

SHA1
478e42b82b3b68627363aecb939551c386e929fc

SHA256
897c75479c8cd0abd55173cb0ba0a5d3f1e137b58c2f6509b28b6b2aa093cc9c

SHA512
a73b6a0eba56a0da3bafc7e6318407a446d0c31486a4d6f1b39a61dd50ed36734a732a0300bbe5c59b2ba4e755ffc592c8a7328024ea59af54933e390d5f0534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
eae4285984655415c93c8089929db201

SHA1
43f78ab62088822daae8917e2952d9697ab4dd88

SHA256
89e6c309f20127176afeeec396d43f7fd89d776f52c72fef7ef4ae48c5b7fa1f

SHA512
52f33078ef5717f439323db1be7295d016f5fbf7a55b06f07cbef82dc73eeca9b48e89fd32be3103e3c8592062aade5c66782d17215584997f1c2ca531011479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fc4f194621d8837c314f93a43ff80ea4

SHA1
87682f1d85ff5af60cbb6fd1a459d99906b05eba

SHA256
6eea96649109f0bcdc7882bcdc31393abcf7de6c7f82fabf44ba96fe9254c1fc

SHA512
91ad899c363c614e87c37cd518cfc1d6bbe75c6aba8e370bf8e76813fb64501c3a2a12bd72dc631bf812fa8de18b804acca5827dcfe70f8963239b820192435a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
754b9a63bc08f84ffc4bbf21f3397556

SHA1
3f01c210d860c5a9281479304efbadf543b50d09

SHA256
6f3fef9f4562dfc9a08380ff591ef7a5a6395d83bdbd8dad9667e08cae5c1a5c

SHA512
32a65bdac36acf966e3f237d35638368b6d29e4f79ebfb2e5b1418970201ac09f461d9d4f03645dfd4a34d4ae0961b0af3e3b87e4f909454072b86b75a3ebafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
be6eb3d4c033a8702d905afae18a5f87

SHA1
669aab92d92bdf80e48809a05cbc864eaefe61aa

SHA256
b78ca11790ae1e63c758309b071edd692ad9e5ca033d41554dc3cb1b2239f797

SHA512
56c0ead5d71b922765eefc0cc11cbb4a37ebc12855f1c1c1671693dced2b88c3520cf68edf5e2b4e6677db13d60d9638d3e911b5c8e947184e4453a81d2ca29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe
Filesize
78KB

MD5
cd0398fb5a04ce43be2b1183e7dfad06

SHA1
e1e9ac1f1f2533f3bfec802cae2cbeeeac65c181

SHA256
c4fb94399b109d19585a03233be7663000aae8c7c7f8661ce744c59bfa8ced08

SHA512
50bfd2614078082fd83e43e61a36b086eae0fec2399fae5655c6442a474ffb7c25cabe43b4c484c85acc4fac72c2f2613dc00e85045242dfcdd91093519699bc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 182637.crdownload
Filesize
497KB

MD5
48258af1b1134dffa388c6f2590325c3

SHA1
e2fa6a4351d7b358e6b20e9194b63b54751458d4

SHA256
d0452f63e207ead4ba0828fba9cd46d54c08906ac3f35f1c0b27dda2d60fbc83

SHA512
1eeceefb8843f72b55e1b517039ab53cd72af3bb294fe9b06ce0a6207749506bf299cd913a4a1088ffa002069821d346ec3fc045fa701014110beec03d7d208c

Download Submit
\??\pipe\LOCAL\crashpad_1604_PHEGOIWTRAVBHMGB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/940-96-0x0000021348290000-0x00000213482A8000-memory.dmp

Filesize
96KB

Download
memory/940-97-0x00000213628F0000-0x0000021362AB2000-memory.dmp

Filesize
1.8MB

Download
memory/940-98-0x00000213630F0000-0x0000021363618000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads