Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 16:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://filetransfer.io/data-package/1li3KsXP#link
Resource
win10v2004-20240226-en
General
-
Target
https://filetransfer.io/data-package/1li3KsXP#link
Malware Config
Extracted
discordrat
-
discord_token
MTIxNzA3NzI2Njc5OTEzMjc5NA.GAOYV3.xQnTqmmpoLSHwXaVIJBtj8iVivEgiNDnLOt_Pw
-
server_id
1190067527355744316
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 167 discord.com 202 discord.com 253 discord.com 161 discord.com 162 discord.com 163 raw.githubusercontent.com 249 discord.com 150 discord.com 157 discord.com 184 discord.com 151 discord.com 212 discord.com 164 raw.githubusercontent.com 165 discord.com 171 discord.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{E6CC4B9D-905F-428C-9922-5D831C021E6B} msedge.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3520 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4656 msedge.exe 4656 msedge.exe 4260 msedge.exe 4260 msedge.exe 2484 identity_helper.exe 2484 identity_helper.exe 4964 msedge.exe 4964 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 2972 msedge.exe 2972 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5888 build.exe Token: 33 2984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2984 AUDIODG.EXE Token: SeDebugPrivilege 5468 build.exe Token: SeDebugPrivilege 1944 build.exe Token: SeManageVolumePrivilege 1120 svchost.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe 4260 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4260 wrote to memory of 1548 4260 msedge.exe 89 PID 4260 wrote to memory of 1548 4260 msedge.exe 89 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 5028 4260 msedge.exe 91 PID 4260 wrote to memory of 4656 4260 msedge.exe 92 PID 4260 wrote to memory of 4656 4260 msedge.exe 92 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93 PID 4260 wrote to memory of 2608 4260 msedge.exe 93
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filetransfer.io/data-package/1li3KsXP#link1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ba746f8,0x7ffd3ba74708,0x7ffd3ba747182⤵PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:82⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5060 /prefetch:82⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:12⤵PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵PID:5988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:60
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:12⤵PID:4160
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:736
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4500
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Executor.zip\Main\RUN_ME.bat" "1⤵PID:5556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat" "1⤵PID:5840
-
C:\Users\Admin\Downloads\Executor\Main\build.exebuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5888
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x1501⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Users\Admin\Downloads\Executor\Main\build.exe"C:\Users\Admin\Downloads\Executor\Main\build.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5468
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat1⤵
- Opens file in notepad (likely ransom note)
PID:3520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat" "1⤵PID:4648
-
C:\Users\Admin\Downloads\Executor\Main\build.exebuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Users\Admin\Downloads\Executor\Main\lua_extra\lua.exe"C:\Users\Admin\Downloads\Executor\Main\lua_extra\lua.exe"1⤵PID:1600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1e9490cb-288b-497b-8ef1-dad6120356cd.tmp
Filesize6KB
MD528ddff671af01f28946ea5d8735e5ff2
SHA19d154d04e04457cdd8dd527cfff5b3d5ff873dad
SHA256280f163ee79a9a3ac15d16cb6b2e046940a682ed235197f7f90de24e821dfe67
SHA512a7068db03464deb41be6520f3522d486c2c0c628a6dcc7ffdbd2a653db8095c3df51403e7706654c298384ab899cdce00fe2bf919db028ed393a5fc3fc092e23
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD588a552e6be1ac3978c49143983276b3a
SHA1dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423
SHA256927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5
SHA512125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a
-
Filesize
32KB
MD5e51d5a73c3611bb52db26942a6cd26fd
SHA18a750003a6fd6321eca6624012d638eb71edb5f3
SHA2568a35d9b6767a86e337309319ca907cb0837e4b836f82143c58a02ccc94a11e7a
SHA512597043744a4afab83b63ed43db92bbe813e6003844d5f8beb4d4e7f52cc4e40e3af08621da4eca9407d4ec5db114f03964c4d35bf3b94dac8225bbf007659670
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
1.1MB
MD56fa864cce0000aff0d1afa54513940f7
SHA138fbf15f58e009976387165f49d3273f4a1b5037
SHA256a692ca9498ec28c5b2a01c28d0d14fcd5039b753c34b3f18c2d35424fb04ec6c
SHA5122eb612f54d3f2deb2a88ec465ac4c279bf1306b4ef5d251540356b5e0904b20fad8f0f4d4739b9ef32143ef3337917d499d1146bdebe9d7c687cf65a867ddb33
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD523d72f063e2d366fc86ab758677f01eb
SHA1e0fbebaac6624e23a60b5f9f2f8fcb0258fbf2ed
SHA2567a1967f3800539d0a09d9a1c81b9025f4439c7da8afd94dea6344ec36ca9cf1a
SHA51247f17a32ce16c5bb979162ae32f0153087beee7e94f67d33d6a06625f5d9a8d1e637f592f60c3e65f7207d99dcafef738ca114457a9f19af95282f8d1d5554d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD592592b5329235e809763318f2a31612c
SHA10dd6ee877c18477be6cef771a8ccb31d5cfeae9c
SHA25699ceed1a287c1a2a2ccc8d032fbd6abb67d350320846411dd762e19094f525bf
SHA51225c6dc557ae07a471b5d656dbce92b2cf128bcf7ad5e93782c86984ae0666441ae955555285b897644ac192c3681ab07f6fc22a8e3446688ff751f9fc5ea9e44
-
Filesize
1KB
MD51555336c7a15d07ece7b72decba72f48
SHA16c7ad3908604a546ffe1988f22a814cbefcf0749
SHA256d1357ef476bd99fa8734f2caf1d197c7dcd8a6160c9fa953eaddd3978c8a20c6
SHA512da2eedcd81676bba5df9d62e4cefd5d7b3896c125a98d1df554faab753463b005f98b3103f32444a6a391b4d5dced6edfc67bce5f5926c36e625f281e1d98fef
-
Filesize
1KB
MD5d480c6d6242395af53ad5ab038e00153
SHA1abcd7259d06f4ac43792e4ef09b99abf47000c29
SHA25643b82fcfecfaa9fbb64e22437848d870485ad38c6c5b06caafa94fc8bc391359
SHA5129d762c73cbe1f04e4b769d73fc6de25f8dc1f3f1a167bdf6127d2c9867565919e406b571f75d5c1e737cc87df42ab68dc28c9bcefb7fb9b40c939e33156d191b
-
Filesize
6KB
MD53290ff1df15868ea9459aff8760af593
SHA1c8a18cfd2b978e1f71e0084dc621ef3fd2723f17
SHA256879a06e0e46b2771ebe13b839150383ebc7597d061f0c2ab1bc343af8fbdeb68
SHA512884cfd1b768148b1e192e30124f893bb1c2b2d73c22faec0f5804390db611022388cbc616c424c11a5ae15c0028beb45a6dab6d643e02e6e3832a4ddfe16a5a9
-
Filesize
7KB
MD574223b215039316bd952beb2a9eb3c14
SHA18e4c3153fa784fce7dfcaade7d341a0bbef67666
SHA256f30959e56eecdb4da45a5b2e1d6d24216abf6901639717a92f1b75b6dbaab3cb
SHA512bda60b7932b896b772b3fbf06e3b4d9491126fe35e7cc976145b7d5d01e2180e6bfb69ced68ab01bc290d0163500fd7123bc139f6f6085918c8435a5ae86526a
-
Filesize
7KB
MD5482b0a3cad7529e6e2ee52b33654b47d
SHA1ca14fe5e634e0e4d03364c507acebfb1bac50960
SHA2564b421272d5ff25fed5a84ba1e3b79c490ca7c4554957e6a9e4352784af36c85f
SHA5120034f836a63b23ee1d4fb296e5b2f7506996e197d2788104f2807d8859500f8f3a1ba6c284d84262e9ad4e2cd3debd091bf4664c60b238831b0f09ecbd9aff14
-
Filesize
7KB
MD50a50634aee808704e8740ee57bd80406
SHA1ebc10cd884bb6b30776977377ad5ed28cd8d3128
SHA256007e50fd80e6e55069dfadd00e886e5ee7c4d64edfb5655f424a51faae2dc2d5
SHA5123b1cc9d71ff7bbb4efa82981c30ea695ad5066701d28d4cba515f10d82af488f9b89a80579cb4bc66996a2e497e75ce111b849730e171d0bfb2fe7e8d006b868
-
Filesize
1KB
MD5605b6d852b6604132be1c1bdbf1a5896
SHA14692d1f661698427ba4c4af6988c8c1f933c56f9
SHA256fab765ac8fd48b26ea7fae12b6d027a9a6ce21f4059df4012b874f04a52a458e
SHA512472a63b6c97b4ee8b9f5dfbf237ecc0664b64a9a53548ed795efad09f84d8a01fb11203f302b22d3861db8c81810642e0f5811ada65a4ae053c9f90949f29091
-
Filesize
1KB
MD570d19d88590df9a2cc203ca916c98562
SHA15aea6c64fb2b5f5dea8a973b7205b86463abc77f
SHA256edd10ce0484b1d0c4dd02b95e5da57366ea88931ee239448d31036cd94dff4e1
SHA512ece289b358b69a30b51c9f3e7529f4d3030986e1e730a14a2e3f881095e053f74bb2c60c0d52087e679c20282935c40067c3c5d70f7aab6263df3ea47caed60b
-
Filesize
704B
MD5a0b039a31765009a82737428e943983e
SHA1c5ee7fe416b89dccada13c8e453f93840bf4b627
SHA256c9470b787a4eb7eb79898d28e18c55e31782b133984dc03e97ae76499870e1a5
SHA512aadf36498a86cf24fd724a4d7afd8e5a08be367a01a354fd34aa31b9891a541d46eb39f1fefed7f6bc627bd2204696aca75ba7bf188877c151864fa0822c63f7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57ebfd8907281fbb2c9daa94ad1327d3f
SHA142fd0a61c7a9f5ca4806fdebf86f978d7b11bb3b
SHA256c074e05ac3335fb1d43d6de7898ccc209dc1d5dcd644c183c73f1d2965dce77f
SHA512f865652ac2e2b231878f6fb7808924c41b1ffc5e7ce72f83769b9d1f20e78fdbf118d6c316ff22c4eb82600fff16c0fe9f6d04c2770ac4ea5560aee95327701e
-
Filesize
11KB
MD5900fcc36c80f4359a290ed8154b1ecf6
SHA14b650afc75cd33babef56c5aca9af757b29e6883
SHA25638c129cc85e3abeed0d9ade5c2982bdf3c5866072b0c6da3f9466e29745f82c8
SHA512faea9e70fdd2733d3e638fb5aed8a667306914a167be3828a358b3f3786c58826da40fc34ea5c924b4b12e0b3b70fd012c0e4d8f2c1af6891c71e2513158e09d
-
Filesize
12KB
MD5fe3332119214e3bb5e52cb962a56c15c
SHA15a0818d5b40677d48bfae3221fb3b8559d202b01
SHA2569a99cdb2f43998de60d6dcf3cad20b5491f89d7eff857fc513847b28fb883d26
SHA51239f7a43610e3c755789339fb5d7e47d6a7f33183a57f87e63154a19b3b05d5f5a176cd7bd00b7d44f45fa08f99a869d647ef10479f6fd81c7bdba611b40df7b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_566CEA45C5A84D53AAF4630FD0318604.dat
Filesize940B
MD54c0cf994d83b39b62be8fd4671f1e4e7
SHA1ced6977dbdefddb83c9b3264d9d6a516928758ff
SHA256f8720717d55451885519d36ac80fe6f95cb01b2d6bb71d59ddc062167174ed67
SHA512ca2d04d171acd5f5f2716a93494a7aaf44eb38c7ad43d8641b94e18c4922718b6b96c2f56c5f7eba6bc03ff79f81ae731c28d333ed78bd8fc7f227dcb2d3c3dc
-
Filesize
5.8MB
MD5956e19b636b18bb0abac9466a97fc444
SHA14eeed55dbd88b17b31030f11786d11d63eaf97e4
SHA256e80ce65e2875c14536961cac4fec8860e110e2549fd03323d227117bdb9340b5
SHA512f04a620a75b6d6f290e0e25aaaac478294d99a76fd84202fcf937f11d931cd810c5b11ec2c646c8313035d092e96c521cb1ee50b0058039178fcd1261def5eae
-
Filesize
19B
MD56ba539a80c1ca6cc38677f419ae51d7d
SHA12f592e7d286d4af325b4062affc0ce74ab5842fc
SHA256241d6b996f851c99018599915e80e40cf92f930190b6e23831ca4469e967e320
SHA5126f1bc4a697c69d236dcfb88cbb9912b0d4d972b7c64f556a60ba448c11b0311be3e74f3ef1f38094b3ee6335210827db5f595913865f6762c8c83fceb0411656