discordrat | bd106b91048fc739e255f76dbd42f6c39a4ce22a1db5567adef95278b84b975f

Analysis

max time kernel
93s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-12-2024 17:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

backdoor.exe
Size

78KB
MD5

fd20fe5621aa91f1ebac577a4b873694
SHA1

e21b19d3b71dafd57c64042553436d543852ed12
SHA256

bd106b91048fc739e255f76dbd42f6c39a4ce22a1db5567adef95278b84b975f
SHA512

c769fb3f55d937c9f536c3c201fd3158a4493ab70d03d659385f2537b779b3a1f18bff9be861157c1c1468fbec435d30608330327387eb7f674e26e8059cb8c3
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+FPIC:5Zv5PDwbjNrmAE+VIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNzUyOTIxNDUyNTkwMjg4OA.GXalZP.lRGd6IoMrnd96ty8BDoTs4fndB5ZtDl8eCK_vU
server_id
1317529702952337458

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
30	discord.com
32	discord.com
61	discord.com
3	discord.com
5	discord.com
6	discord.com
28	discord.com
29	discord.com
1	discord.com
31	discord.com
34	discord.com
35	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
3172	msedge.exe
3172	msedge.exe
1468	msedge.exe
1468	msedge.exe
4636	identity_helper.exe
4636	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	backdoor.exe
Token: SeShutdownPrivilege	3280	backdoor.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3172	3280	backdoor.exe	77
PID 3280 wrote to memory of 3172	3280	backdoor.exe	77
PID 3172 wrote to memory of 2612	3172	msedge.exe	78
PID 3172 wrote to memory of 2612	3172	msedge.exe	78
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 4856	3172	msedge.exe	79
PID 3172 wrote to memory of 740	3172	msedge.exe	80
PID 3172 wrote to memory of 740	3172	msedge.exe	80
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81
PID 3172 wrote to memory of 4384	3172	msedge.exe	81

C:\Users\Admin\AppData\Local\Temp\backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\backdoor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:2612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
    3⤵
    PID:4384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:1152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
    3⤵
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1468
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
    3⤵
    PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
    3⤵
    PID:4176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
    3⤵
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
    3⤵
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
    3⤵
    PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
    3⤵
    PID:1468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
    3⤵
    PID:1956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
    3⤵
    PID:1940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1206885411394858781,913536998540815295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
    3⤵
    PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  PID:1032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  PID:3948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
  2⤵
  PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  PID:5308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6f223cb8,0x7ffd6f223cc8,0x7ffd6f223cd8
    3⤵
    PID:5320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c7e98e7-acd3-4324-b7c3-dd773bb89571.tmp

Filesize
1KB

MD5
137365f0706c3a01a5bd3306ec44d6e7

SHA1
e30fb0c9e74048de8b51e4766a36efd0bc4fec41

SHA256
7409419beff92ae73c2bb0b6d2bb3cdee8d956e4f1ee9fdcb2f874fa34cc8df2

SHA512
a2a108b4b4396c463a4e13938d353b63edd864f6da55191ef3ecb6208c2a1fc2bc08a3f5dd5d1e20271e09f036fe06f35601a279decd8f9e34ca34ce36130a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\27e336d9bf26b5c9_0

Filesize
288B

MD5
129953f99d9ecbc48ed07250bcf2af87

SHA1
80a19a255548f9afb9f3417fe5d90cecff3d3c14

SHA256
a4608337c93fec332cf1a061e64cbf431658d6a34bc8d1bdd2eadb60cd1cf905

SHA512
b6133bb9a1c92057c00bb0c77565d49fa37e2987d07d799d875648c64d462057599d6ca184d4c39a5e6aa283f76ce26a04ea4cf807571abea41c3caca0059af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\882a170cf78c0a90_0

Filesize
429KB

MD5
b306b0fdfb610d6107a034c0ae0d71c1

SHA1
76b564c1a43b4ef6ce422a993d4e92bed84ca5bd

SHA256
ced9491575066c63ec6bb17f08378c66075534ade2e47181aa08ed486220e47b

SHA512
7fdc83cecf5bd89ac6b037291ee34343f0541a6f1a7358192f8961d8a323fcf044ee18bdf7cedc34a02d9d79e96d4e7ef8c205193043f80da9d6ffc79956268f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
9d999be449e99ed326b59d525dbe342e

SHA1
1a77519ce3913e6a41fca0d1afe0775704eb0785

SHA256
2875889339dd47c502afad0930c2ce113c9cbbd1e76a43e7f3e930b8341f6690

SHA512
bea52d0cacc9167e47a3657f490a8a20b90ec7a26e1116495396f7a98b381efec9abdd636972f72cc2fbdd98217d3da7cd81b1487e23ce97409ffe2ccea8f93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7afb1f6941190386f068e6e2a230e92c

SHA1
dbe561788e4af7a84e38ef6ff35fc56666b4b67c

SHA256
8615c13da14aae2049fb1ec6ebca0b634d7e4da82517228c19e9fda1ea1eecdb

SHA512
33e4eacdd46ee3203b97d944b2ef9c96c0753f192296c7221b1ec8ab7b1edb92439b57549b7ecff8ec40a7ca2573ad9babd67883ae10e948d4f38155cc50dc7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e5ff3a9eabb561ae4d08e45186fc8692

SHA1
61bb721b7faab3cd653a701334c357acaaabdf12

SHA256
c53e26835f83dbfea433b030b459c70a96ea5643b3ba90c21c51e63c580e5042

SHA512
4f8df2d090b6c4d030034f32e69a34d41e225d9be817cea3d38a136fc046a00fc1ca1ec7301f093e8040c5a618e8883819562b67ff1172c035e08188beffaf58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f906d0db9a45330cca5a3f9a8b5ebdb7

SHA1
03edcdddbceacedad09778553a7bfe6baa71671e

SHA256
f63b8ec38418d71602d6ac52a010acbf08b6a4426803c314a7e2cc6bef21eff8

SHA512
5c654140e54db893e28963fed8d2409a85d5cce394bf14b84dfb52e1eb584fef996f911f8ed2b89f25db794f22bb64b9ff64a14fca69b9493caee9f4674c8fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
61d309ab9102864ff9c91974fe3e8a68

SHA1
2d07b6fa422844494773c8115fba02edb6aa5f4a

SHA256
b9d3009123f3c9db85d7aa3bd57329aeab5efea42ffc8a3311f87674038984bf

SHA512
4ce206c9f438e8d0340c1cf2d246065aabad58fd0b5c034ed35a46be067f18e43204bcfbc0a9783cd0e6b3d3b1f811bac4642eac1d0a38931d79d75bd9d213cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
65a6f6b4d24597f389642b0da31c3e91

SHA1
87a18115abdc5a672106f798ce5e3f1a11f73e6c

SHA256
3aebb740ff5c99d5e46416902b088e89f3544e7590a07912672f3b993ff4015c

SHA512
fee7192ba0065312fca2b2cbf70f9d68c0759fd64eea567d6890dbfafd2ecf82be741c0cc55b1dd886163adcc8fc072a16e8217805bb400df2de9b885410f622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ac1a.TMP

Filesize
48B

MD5
7e13ed8cb2064eb642a86c170f76c44f

SHA1
6a68966343218af0859e81945f3b3f88074b855a

SHA256
5c38a249bbee0652af1d6892fe842a9156ad371366df16994cd364f8ace0c39b

SHA512
ef3486f003854f53b07657551b9eaef90cea13f2f564caf81ff49d8972db556cbdff410f3f866492f0f4d782644cc6dbd35958b237112f7e76be75e4942203e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\af294fad-4d05-440e-9699-3a8e05b45b21.tmp

Filesize
10KB

MD5
61ab78986c8477c80e84fd2fc3e85284

SHA1
373114a3cd3d8461e31da5aa08114789a4b07f13

SHA256
3092103d3ba914bab824f4a4d879a00841e74f28877bca6e028f5a6331f5100b

SHA512
821bab1e007c9a9596892495b746ef166fff560646e221b1eb5ea3ec244949295ba89beea1aa3e109f90dd58bf4035c337aa7e7f8fb3dd0315082ed96cd7d397

Download Submit
memory/3280-4-0x0000015F242F0000-0x0000015F24818000-memory.dmp

Filesize
5.2MB

Download
memory/3280-3-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/3280-5-0x00007FFD61473000-0x00007FFD61475000-memory.dmp

Filesize
8KB

Download
memory/3280-0-0x00007FFD61473000-0x00007FFD61475000-memory.dmp

Filesize
8KB

Download
memory/3280-6-0x00007FFD61470000-0x00007FFD61F32000-memory.dmp

Filesize
10.8MB

Download
memory/3280-2-0x0000015F23070000-0x0000015F23232000-memory.dmp

Filesize
1.8MB

Download
memory/3280-1-0x0000015F088E0000-0x0000015F088F8000-memory.dmp

Filesize
96KB

Download