discordrat | hxxps://content[.]any[.]run/tasks/18182eae-aeae-4678-8ed8-39291b694af0/download/files/dc426c77-43ff-4ee2-9a36-04ed6aa7e89a/67b85ff6ac805000c196ccdc

Analysis

max time kernel
120s
max time network
129s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-02-2025 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://content.any.run/tasks/18182eae-aeae-4678-8ed8-39291b694af0/download/files/dc426c77-43ff-4ee2-9a36-04ed6aa7e89a/67b85ff6ac805000c196ccdc

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM0MjQ0NjAyNDMzMzE5NzQwMw.GbezOT.xW4sW4uTYSaPuZXo4FgHKG_Yd4UKuGxW9cRNKY
server_id
1342445708183076946

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
4476	tool.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
3560	msedge.exe
3560	msedge.exe
1872	identity_helper.exe
1872	identity_helper.exe
1240	msedge.exe
1240	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3476	7zG.exe
Token: 35	3476	7zG.exe
Token: SeSecurityPrivilege	3476	7zG.exe
Token: SeSecurityPrivilege	3476	7zG.exe
Token: SeDebugPrivilege	4476	tool.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3476	7zG.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 2800	3560	msedge.exe	79
PID 3560 wrote to memory of 2800	3560	msedge.exe	79
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1504	3560	msedge.exe	80
PID 3560 wrote to memory of 1084	3560	msedge.exe	81
PID 3560 wrote to memory of 1084	3560	msedge.exe	81
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82
PID 3560 wrote to memory of 1104	3560	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://content.any.run/tasks/18182eae-aeae-4678-8ed8-39291b694af0/download/files/dc426c77-43ff-4ee2-9a36-04ed6aa7e89a/67b85ff6ac805000c196ccdc
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa0d3746f8,0x7ffa0d374708,0x7ffa0d374718
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8658419090114944359,16112399307933468576,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5044 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\tool.exe\" -spe -an -ai#7zMap2550:78:7zEvent18327
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3476

C:\Users\Admin\Downloads\tool.exe\tool.exe
"C:\Users\Admin\Downloads\tool.exe\tool.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9091da214c5c97c04dfbd4afc733ec2f

SHA1
680c48d5c7cdf8b85d12d76e5b5af7d9ccf452b7

SHA256
565c816ea4b9387afdda41c0fc27e21ff9ae434cdca28af87483a29408d85f68

SHA512
5a561d5ebba54af22f33471f622ece68d4d9ba7e7a4f5b6848122aeb9ce07e51e9a56c1357165a5a7daabd03ecd8244b5759b893660958fe5d9264f7cbca0bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
557f371a46a76a07c6efcf6fd11ab4ce

SHA1
e0c37bf15afec5a1982e12bf7bae4fb9a26186d8

SHA256
4f8b247e7ecbf50c767928a706b8a47f267f34d5ba32484e63a40d4cf2fce3f4

SHA512
1fdd894c3620c80ec22bf5a0a4051de1eaa62fd3e69dfec4156b992b1dd77ebb3aaa2fc4d9ce937ee8fa17edfd921304ccfb1313722cd7a1869f66fb303c0bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7290ce791f0da4397e15d6cbf9a1ec5e

SHA1
4a5ccf0d7ee3de854431b420e3e47bd05f9ccd0a

SHA256
6f7221d5832a103e28a838a37848713d6d8c6ce9cc7a54588ae3a56664f35ac4

SHA512
83f7eaa06a90397ee3a3a72b2c1d6b438bd6c17b5064b860da2c18a21ffde05fc8c18958a8d84334eee83f17bc7b25adc9c275a180c57c39069db815ce1b022f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
309097ebb3a954144e1a5c7abfe4e30d

SHA1
5f13e8ff63a518ef5ff7a40b6d1a4c301f249ee2

SHA256
b42e838cf168a85dd92ada4f7577d4c3891fafcfb8a01d4dfce642fc0fc166c0

SHA512
f7fe57dd82f3f20ad6972943ed82a5fe524d5531bfa4f74524ab388a18d4f6662d063b07fbf247d13a3e201898995ff62815890590aa06b18a8c57ed804d9f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
314c2d3136f69d05100e70b3e348aa93

SHA1
1dd7b4fc73e8e3f3c524bbc5d58d63c67ffe92a9

SHA256
6e3c66c7ea0989a704e103bef247c3ebc795ec686ae6b0d53d50d17d6e625d2c

SHA512
846a46a58300444dfe3723071c891da48b347cfd98cb28925c105da5e74dd68f8014eaa2dbd08d7463cbbe5e722dc838d0b80ab922a11075a364d25d125e2baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab3bd1714554165b84199f1bad0c96cb

SHA1
123ab18e64824c4eb8c66fd8abdb054d1123a382

SHA256
bbc0a958cb76e5b581555515532b9464194f4328c32820f92b869b18a0fe5e4d

SHA512
a62033b3b96c9016a406536f8f5a6299521a63cdc2f4b05d3fc2ef71f728c7cce7fd68161bc26be9c1d710d26b9e4c0fda606c9ffc6d9212cd876ec26bb825f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31d907a971a89f5bc392ab4e2727ea3f

SHA1
3918e95aad74d784f336df22258814a689f6d913

SHA256
8ad34f0a4634fb66b3a30326fcc499ba54e99b819a2cd4d14d3da459a7067a4f

SHA512
f80c2c6d1df304ea7b8c697d31f4390cf895afeda24ff889d8950bdacd85461d6f794746c4bc2c7d6332d227f89075bf8a6cf62e115701947aef2959cb45eb40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0c906af7ecdcb035ab5c2fcd1fa26bc

SHA1
2b42ba5e04aef5745746b385bea10026d1590290

SHA256
1f544e1350d99d2310a586ee30a6c5ef5719b23c8ac95c651fde4fcbaef48a4c

SHA512
0ea54c691e52d007b6a51814d883a94eb340d23e9a3e2d609ac43ca82b21a66155dbaafa900b5de9372d45a08309088455f428abf7f5fbb9f5f023020a2fd695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
33319e4acadea81a7ef96df62e26443b

SHA1
e355374082d41fceb2627ea19a6cdd344fb47a0b

SHA256
da75c796eee5a12e4da2cbdf0823af618a8b25a69f5148c0c2785c5a2f663c7f

SHA512
7b8a51fce81a3d2e885845c2f525f25e4901a01a6b95de74c22f653b0149ae5cfa4ede698012871876c7c867bd38b210276fdd8db2b1100ede07eb90e1a73ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
96208adf81ccac68583e6a4388b3b036

SHA1
1d80c400836cf02e87017b4b02623a22f93cd7db

SHA256
b785c0cf3b9ed5f3bffefefab37f03a579803c33de2a2f1c743ca4ed5263f6f8

SHA512
0d5dc533d79183284ce6b97d6889ddc85efb4e2e66a951ccc65e7ab50a77c46393c5e044687565215165b8e24f06d66a05e28375db8b6c5adbfa02293fbd2403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587a1d.TMP

Filesize
203B

MD5
c2b1f2a648adb96a3867818bd061e278

SHA1
267903447833d23d824c18746e58efd8ca140ed7

SHA256
7f7f72fd5abd65c4a074b8a38ebf057c603d6f0ea2570f0eacf2538bc4de2863

SHA512
0befaf0ea4f482bae3223916d19eace2d704430a6d3e048688fb4219c8581e3622ac86dc7cfb74bdacb4925f88d1bdb34d98fe208f9fc70a5828284edda8f253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
69d8f9762ad0194b50d9df5a7c4462d5

SHA1
1e8954dfaf8c8042624a8563f5494bae26e55c8c

SHA256
5841013e94c1e2e0152be2471e813d1edd676eceeecc451621d14ba7401ed4f4

SHA512
c78956af460e66b3198538d88860d5805e3b7a1fb8fb7e0582227ed282482a852ea0fd390bca79144b5f75ab9f2a9b96c3d22f6df72dce4358abcea827b7dd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c6605f481e381ae746a7ac85d4076e60

SHA1
9cc0b17ac0ba5493e55a1a12431299689959f12d

SHA256
51fe0933517a4edf1a99301b701be3ed707aeb322b76546b4afd6cda26a03e66

SHA512
f2725abc9a7cfff9af75ad13a9360e6f4333421d79150b9aa31621112209fc9a5f86f4409daa9a622bc5d7598fb8a3861a40c95ab9444960e19db58e52779f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\cfc08e3d-6783-4bff-9099-3e99857abffa.tmp

Filesize
10KB

MD5
b133b9cdc307222d75852f97003e1f53

SHA1
3fe6c03de3321a8cc9c6130d99f9cfcc13d7776a

SHA256
d8a61c92e9d18060c7b76cb5a8c0642cf8047d6cd052c005c84739499168c295

SHA512
1232a6651ebd37a6bf5bcb0f010bb073a708ecd95060a909b4215c395468592b9d3a7cdddf5a1b31f5fdeacdeb1d625e307fa2d46619399b9b98f3795771bf75

Download Submit
C:\Users\Admin\Downloads\tool.exe.zip

Filesize
28KB

MD5
f49b45d385606acedb7c0334c22f0d0c

SHA1
f15af44c1a76eb7c74f8305f4f38d8a403211cd0

SHA256
e77b24f239047db06fa91cf965199e9305115295bf87f50ae8609fc5a0cee4f8

SHA512
bcf97dc44f670a657b25fe032eeb909249c98d8c30aeab7029b6b91541ba8b5ac086b87ec7e51c120d8cce381e97296194d820422a4c4da8991d182a073fcbb4

Download Submit
C:\Users\Admin\Downloads\tool.exe\tool.exe

Filesize
78KB

MD5
9a80a46066767632f41a8acf3053c8a5

SHA1
270d568c04b9ed89b462de83a2617ea67f191f57

SHA256
440ce8336104bfebb4b886dfcb59e5ba48198ad81f5288ef93ea41b47ff1485a

SHA512
067ebf7d2e2e4942fa5c1f6c06a271ec940cd7f902a21fc2fabf0d9abf05269300cd77d81d658bae2307742fd30f44bad9ddb7794928a8eb93672c8d19fccdeb

Download Submit
memory/4476-229-0x0000026C24130000-0x0000026C24148000-memory.dmp

Filesize
96KB

Download
memory/4476-230-0x0000026C3E6E0000-0x0000026C3E8A2000-memory.dmp

Filesize
1.8MB

Download
memory/4476-231-0x0000026C3EF20000-0x0000026C3F448000-memory.dmp

Filesize
5.2MB

Download