discordrat | hxxps://uploadnow[.]io/f/krTzfqv

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://uploadnow.io/f/krTzfqv

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4MjIzOTgwNDU4NjU5NDMxOQ.GEkcj7.DZZa25XaQvgv-ZVRs-HJbbZyRm7z_fvhKTVxyU
server_id
1282239514231701626

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5892	FPS+.exe
6076	FPS+.exe
5292	FPS+.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 308697.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1188	msedge.exe
1188	msedge.exe
2932	msedge.exe
2932	msedge.exe
2768	identity_helper.exe
2768	identity_helper.exe
5772	msedge.exe
5772	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5892	FPS+.exe
Token: SeDebugPrivilege	6076	FPS+.exe
Token: SeDebugPrivilege	5292	FPS+.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3140	2932	msedge.exe	82
PID 2932 wrote to memory of 3140	2932	msedge.exe	82
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 5052	2932	msedge.exe	83
PID 2932 wrote to memory of 1188	2932	msedge.exe	84
PID 2932 wrote to memory of 1188	2932	msedge.exe	84
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85
PID 2932 wrote to memory of 4208	2932	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uploadnow.io/f/krTzfqv
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb575b46f8,0x7ffb575b4708,0x7ffb575b4718
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6948 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5772
- C:\Users\Admin\Downloads\FPS+.exe
  "C:\Users\Admin\Downloads\FPS+.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\Users\Admin\Downloads\FPS+.exe
  "C:\Users\Admin\Downloads\FPS+.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6076
- C:\Users\Admin\Downloads\FPS+.exe
  "C:\Users\Admin\Downloads\FPS+.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14005404395737352456,5293720693786667127,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
78KB

MD5
b330768ecab3abad7aff662542e47b98

SHA1
9182c254d638fdb07f64819f113af6e3ed34466d

SHA256
6d1703bd786779f40dbb4cfd0de3e39ed7f09afcb8e3555aabc1bf6839ccb4da

SHA512
b62c74545b125dcd6afb4a7923ef52b6b9ac798796e82e7d2229e6748a8728fecbbd197375ebf6e2941451d0ffeb3c1b1d2e33d6d86792b65cb0d1ab75c4949d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9d83c72e709c284b71e5ad25b88dd888

SHA1
c3355866a4c5ba70d0b3fb8d07bfd62424ae8c25

SHA256
50b2f851b0fa82caf8b7444d3d5582a627949ca280cfea7dbd1c21ca3f7aae71

SHA512
6f514b3c4843461c97e69a5b27d35263d360c6850027ad005edadc3abb66ab06a7442be9818f758af591b5a88b91993103a5e8bcf5cdc89765173527562f6809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
98fcd2828922a08c0c44ba4a54ebfc54

SHA1
68ed0d3a59a4e5ee005a77cb139b3d88bc576137

SHA256
8c091ace8c6148fee4b5b3e36944167f36f65fa3ae4be705b4df1e03465371da

SHA512
7959cb2e4e0013679bf62a6d1c34d7b9bb50c9c3b0097ba48a457598780bbfb4b71dc949b1cbf88e60b10d90ac5433e5919f38e2bb5690a8a31e42fce6edd856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e62a8e1ea51ba99db28fed8126109efa

SHA1
d28cad499933c424483b88c94338a1b99183fe4e

SHA256
0b23e7227e30e0539dc76868fcc150fe1395ed1f50d8be30b166ac151c0c01c4

SHA512
cdf91377d271fecab2dfd84a02f3ecd89253255a5eb23d2ba849fd5ad0ec4c3fe0ddc278eddbabe4bb876ca321d9aa04556183e6bad5478cf210657fdf5b48bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
708a6b1ce6ca8e9dc665e51f950d0ca4

SHA1
d5c9ca6bac401d688d62bd224a9b3f51c4dff48e

SHA256
89f53c1f57806362c9d58f74f71652910543bfbde0ea8b39a3ad1f18a23bb539

SHA512
14135176433048054f58d4c99fd87bd8690798988d96c5467289cafcd35830f6b3fbc52fa99773294f36c4b56282cdfacd19af23e35e5a71cba59075b76b26e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fae421db3f09e4eff63ff9f37eed177f

SHA1
7bdb3d498de6792122cd471705ec8a572f8a8f5c

SHA256
3302c36de2c4db00f3187a90dc0b240739ac4883f8af6299cf856af8e84b872b

SHA512
801dd9f6fbb27b01ec5a0928cc78be11e1f53d0d07fe9f3aaa328682439b59fd70898f6634b6daafd13dc7fef639bd2c39b9fca50e2e92e7526e0060701d08ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3d27bb880e2c2f00904ff80be8829fcc

SHA1
fc84b6974da01ca2c926bdbfe6ebc9a09537f584

SHA256
b4b13195974e5731245b49af943ca6acd30441c3f2eb85d3ffb04b78c461b1e7

SHA512
46ddf35ee9c043ba2753f89a14c97e10f3e6952d59bb2e558d5816941da86f454e3ba64cfda383fc98aa90e78d57fab4ce6d6e04c8720bfb22e3d79e8d830de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
200fadf20b8464175822e8b9d6650b92

SHA1
081c75f5dbc241371b49e4a57ff5bd04376c418d

SHA256
7a26cfa8894adda7ef6964e73e33e6d11d699f5b101272d8e1352afc81092ffc

SHA512
0e4edad06cd2f546446ba592be7d63dfba68115b967d41223a03533800daa67a115ba95cb7e67c914082eced9f256e155b31c443cabd62ddd8a6a023574a5664

Download Submit
memory/5892-294-0x0000018949E20000-0x0000018949E38000-memory.dmp

Filesize
96KB

Download
memory/5892-295-0x0000018964420000-0x00000189645E2000-memory.dmp

Filesize
1.8MB

Download
memory/5892-296-0x0000018964C20000-0x0000018965148000-memory.dmp

Filesize
5.2MB

Download