discordrat | c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/Discord rat.exe
Size

79KB
MD5

d13905e018eb965ded2e28ba0ab257b5
SHA1

6d7fe69566fddc69b33d698591c9a2c70d834858
SHA256

2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec
SHA512

b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb
SSDEEP

1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{8F0FC87E-BD12-4EEB-B822-31DA4D2EE516}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
4084	msedge.exe
4084	msedge.exe
2636	identity_helper.exe
2636	identity_helper.exe
5824	msedge.exe
5824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	Discord rat.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2156	4084	msedge.exe	105
PID 4084 wrote to memory of 2156	4084	msedge.exe	105
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1364	4084	msedge.exe	106
PID 4084 wrote to memory of 1824	4084	msedge.exe	107
PID 4084 wrote to memory of 1824	4084	msedge.exe	107
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109
PID 4084 wrote to memory of 3524	4084	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffaed146f8,0x7fffaed14708,0x7fffaed14718
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1120961177453962266,4231763564200185285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaed146f8,0x7fffaed14708,0x7fffaed14718
  2⤵
  PID:792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
46454ea47f2366f98058c09088ba4dc9

SHA1
c1d104efb844b400dc3cacd68c29b74aba0352af

SHA256
4df893490149b70ce50a967785d3ebfd0925bf4b031cb8a9a0dc214ce5be12c6

SHA512
e98d625dd35f9a03e1c9dab3c828685f66f0588f8d06a99c5cc9638a9672bd8838e9bf8d81118d00f7d13221efd45fe5839633ba59a551747fcab0bbf5515b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
713B

MD5
a3494d5969c083cd0f14f837b9929c30

SHA1
fd8f8919a352befac28598aeb109663edefa90c5

SHA256
3b6a1b7890060b6ce60e62f2d8f255c18303cfd849752ca466ec7253f031fa38

SHA512
fa96ef099396046137889d05bcc603c1de857e3db9a56a8fb8980c621fc8d56feaffecad4eb6cc54b1ffe968794c900f167410c75bf922f60cba3cbe33fd0861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da84fc1a7f8dc1bdf073a654a37663c3

SHA1
744e34aa26362dda4db3a07aac73d073c0182e6d

SHA256
9c14afe3081b3d50335dcd4c8e38ba54909cd5867e9f2bffd0ae5399ef494762

SHA512
74f28930df42f8db64148a7a21bb8bfcc387c94ebf3b80368e1490e39d1d4fa54e42c5211bcc1f0e48208002f8c74906f92ad208f220eb171afd9bbbea4b8b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7665199556ee39b12ae0eebe2b6a527a

SHA1
bc22808c1d4627aa89b4c84693f3035a0a8c0a59

SHA256
effeef6bb179d0fdaf03c0c396a5c21480ca2b42c93860015906d88df31255c6

SHA512
2042665bcf55c2ed556758cf9eaac998955b3aa206aed79ea9d66bad4369ed869226fb595f516301373d3c9c491eaa401af81771bd64397a76d4133f2e28cf8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b5ad03010fb5cc7effc0d5e06b44600

SHA1
a6998a390096bb80c446f4c245e181c693efa00e

SHA256
31892dc2ab83283d0be8139f3e1f93255d24e89e6f04ff5d00d413ae8bc0becf

SHA512
43f164e6943e577721f420846e155ee4d515428aeaccd55e82dbcfa973c8ca9ec147c808b57488fe7ba57e311918b9933aa324bde483bd98bb8f93fc090bf8a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7fed6ab17582a9abc780e0a92129ade

SHA1
380c30fcbe376fcfc4ce483447f9a0a4626b3583

SHA256
79a0b5bd5f1074206ab202a6b7ad5c1ce19447af945a805f33c0bca23b0fdcc0

SHA512
0e905c268ccdee3128f057827206d2cadeca4b7768eb5054bf72f4e5e321b981fb2d97f725e3f77048a1aa7ce67631c626831277db753125fbbb8fb2f20d21cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd378bce8c8cd2dc147db70e1113c679

SHA1
19db7a0ba4165f1543a16ee685cd9778e8570102

SHA256
3ea7d78c366606f9f38a7676e94d3553c71b734e678c84d6f2de67c5d2e1420e

SHA512
ce0f23cb24529d3b41bff738a5277a66b03fd4455e272f2a127242b104b27e03e0be122d8216d54446ab01802813a1d1e5cc0e3b88bfafc69d25c08210dbdb11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a417b69a0e52b364742395ec5b56e443

SHA1
e5b11ad4389bb9b6253064fc0e604c1c396030bb

SHA256
829c14688efb2784ff856c00174d9f9b998cd5a5945a19c489be2e7ca07290b8

SHA512
d9cc57f1a790c19faf87234f5c1d8eb0ff712aa8ecc9545f770e81f2e7fc843e054599f6d86024c25464bc5456f8a92fe47cb3e1ab9fea93abb04b6532ee05a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59163d.TMP

Filesize
871B

MD5
2779c1845fd375545fe94f2414e4b195

SHA1
267dd9d21284325179b0da4529ba20c556f0dcaf

SHA256
4d6f1bdb4d65c7ceda9cc5e2cead45afaee0616cece78f26b1724ea34c6aa7be

SHA512
d842c838fcb14d2d7544ac8d732d2472487300851de150f05fde34545cd134a23e59d9e6233e78e2739f7a64e68d11e4b0ccc6e9459ac02ea14d65ea7ef90b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e5fc74877d2b2dd5053cfa243910e8e

SHA1
40e799ca1c997c41463b0f9b5acda4f9c45d6859

SHA256
0ee55f8f4da0c887a35ddecd0a5dcdaf9ced6a2d89ea6d22521922f043a6092c

SHA512
9acc163713a86932b7c1422be442888d23a65e33e49dac11bbf3c22e066b656d52ce7add5a882b779e5581596335582b78c377fee9e29723f28b36f564253bb7

Download Submit
memory/4436-6-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/4436-5-0x00007FFFB9073000-0x00007FFFB9075000-memory.dmp

Filesize
8KB

Download
memory/4436-4-0x000001F020250000-0x000001F020778000-memory.dmp

Filesize
5.2MB

Download
memory/4436-0-0x00007FFFB9073000-0x00007FFFB9075000-memory.dmp

Filesize
8KB

Download
memory/4436-3-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/4436-2-0x000001F01FA50000-0x000001F01FC12000-memory.dmp

Filesize
1.8MB

Download
memory/4436-1-0x000001F005420000-0x000001F005438000-memory.dmp

Filesize
96KB

Download