discordrat | hxxps://filetransfer[.]io/data-package/1li3KsXP#link

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filetransfer.io/data-package/1li3KsXP#link

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNzA3NzI2Njc5OTEzMjc5NA.GAOYV3.xQnTqmmpoLSHwXaVIJBtj8iVivEgiNDnLOt_Pw
server_id
1190067527355744316

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
167	discord.com
202	discord.com
253	discord.com
161	discord.com
162	discord.com
163	raw.githubusercontent.com
249	discord.com
150	discord.com
157	discord.com
184	discord.com
151	discord.com
212	discord.com
164	raw.githubusercontent.com
165	discord.com
171	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{E6CC4B9D-905F-428C-9922-5D831C021E6B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3520	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4260	msedge.exe
4260	msedge.exe
2484	identity_helper.exe
2484	identity_helper.exe
4964	msedge.exe
4964	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
2972	msedge.exe
2972	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5888	build.exe
Token: 33	2984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2984	AUDIODG.EXE
Token: SeDebugPrivilege	5468	build.exe
Token: SeDebugPrivilege	1944	build.exe
Token: SeManageVolumePrivilege	1120	svchost.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1548	4260	msedge.exe	89
PID 4260 wrote to memory of 1548	4260	msedge.exe	89
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 5028	4260	msedge.exe	91
PID 4260 wrote to memory of 4656	4260	msedge.exe	92
PID 4260 wrote to memory of 4656	4260	msedge.exe	92
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93
PID 4260 wrote to memory of 2608	4260	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filetransfer.io/data-package/1li3KsXP#link
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ba746f8,0x7ffd3ba74708,0x7ffd3ba74718
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17054411864015179575,17047875495865915830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Executor.zip\Main\RUN_ME.bat" "
1⤵
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat" "
1⤵
PID:5840
- C:\Users\Admin\Downloads\Executor\Main\build.exe
  build.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Users\Admin\Downloads\Executor\Main\build.exe
"C:\Users\Admin\Downloads\Executor\Main\build.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5468

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat" "
1⤵
PID:4648
- C:\Users\Admin\Downloads\Executor\Main\build.exe
  build.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944

C:\Users\Admin\Downloads\Executor\Main\lua_extra\lua.exe
"C:\Users\Admin\Downloads\Executor\Main\lua_extra\lua.exe"
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1e9490cb-288b-497b-8ef1-dad6120356cd.tmp

Filesize
6KB

MD5
28ddff671af01f28946ea5d8735e5ff2

SHA1
9d154d04e04457cdd8dd527cfff5b3d5ff873dad

SHA256
280f163ee79a9a3ac15d16cb6b2e046940a682ed235197f7f90de24e821dfe67

SHA512
a7068db03464deb41be6520f3522d486c2c0c628a6dcc7ffdbd2a653db8095c3df51403e7706654c298384ab899cdce00fe2bf919db028ed393a5fc3fc092e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
32KB

MD5
e51d5a73c3611bb52db26942a6cd26fd

SHA1
8a750003a6fd6321eca6624012d638eb71edb5f3

SHA256
8a35d9b6767a86e337309319ca907cb0837e4b836f82143c58a02ccc94a11e7a

SHA512
597043744a4afab83b63ed43db92bbe813e6003844d5f8beb4d4e7f52cc4e40e3af08621da4eca9407d4ec5db114f03964c4d35bf3b94dac8225bbf007659670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
1.1MB

MD5
6fa864cce0000aff0d1afa54513940f7

SHA1
38fbf15f58e009976387165f49d3273f4a1b5037

SHA256
a692ca9498ec28c5b2a01c28d0d14fcd5039b753c34b3f18c2d35424fb04ec6c

SHA512
2eb612f54d3f2deb2a88ec465ac4c279bf1306b4ef5d251540356b5e0904b20fad8f0f4d4739b9ef32143ef3337917d499d1146bdebe9d7c687cf65a867ddb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
23d72f063e2d366fc86ab758677f01eb

SHA1
e0fbebaac6624e23a60b5f9f2f8fcb0258fbf2ed

SHA256
7a1967f3800539d0a09d9a1c81b9025f4439c7da8afd94dea6344ec36ca9cf1a

SHA512
47f17a32ce16c5bb979162ae32f0153087beee7e94f67d33d6a06625f5d9a8d1e637f592f60c3e65f7207d99dcafef738ca114457a9f19af95282f8d1d5554d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
92592b5329235e809763318f2a31612c

SHA1
0dd6ee877c18477be6cef771a8ccb31d5cfeae9c

SHA256
99ceed1a287c1a2a2ccc8d032fbd6abb67d350320846411dd762e19094f525bf

SHA512
25c6dc557ae07a471b5d656dbce92b2cf128bcf7ad5e93782c86984ae0666441ae955555285b897644ac192c3681ab07f6fc22a8e3446688ff751f9fc5ea9e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1555336c7a15d07ece7b72decba72f48

SHA1
6c7ad3908604a546ffe1988f22a814cbefcf0749

SHA256
d1357ef476bd99fa8734f2caf1d197c7dcd8a6160c9fa953eaddd3978c8a20c6

SHA512
da2eedcd81676bba5df9d62e4cefd5d7b3896c125a98d1df554faab753463b005f98b3103f32444a6a391b4d5dced6edfc67bce5f5926c36e625f281e1d98fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d480c6d6242395af53ad5ab038e00153

SHA1
abcd7259d06f4ac43792e4ef09b99abf47000c29

SHA256
43b82fcfecfaa9fbb64e22437848d870485ad38c6c5b06caafa94fc8bc391359

SHA512
9d762c73cbe1f04e4b769d73fc6de25f8dc1f3f1a167bdf6127d2c9867565919e406b571f75d5c1e737cc87df42ab68dc28c9bcefb7fb9b40c939e33156d191b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3290ff1df15868ea9459aff8760af593

SHA1
c8a18cfd2b978e1f71e0084dc621ef3fd2723f17

SHA256
879a06e0e46b2771ebe13b839150383ebc7597d061f0c2ab1bc343af8fbdeb68

SHA512
884cfd1b768148b1e192e30124f893bb1c2b2d73c22faec0f5804390db611022388cbc616c424c11a5ae15c0028beb45a6dab6d643e02e6e3832a4ddfe16a5a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
74223b215039316bd952beb2a9eb3c14

SHA1
8e4c3153fa784fce7dfcaade7d341a0bbef67666

SHA256
f30959e56eecdb4da45a5b2e1d6d24216abf6901639717a92f1b75b6dbaab3cb

SHA512
bda60b7932b896b772b3fbf06e3b4d9491126fe35e7cc976145b7d5d01e2180e6bfb69ced68ab01bc290d0163500fd7123bc139f6f6085918c8435a5ae86526a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
482b0a3cad7529e6e2ee52b33654b47d

SHA1
ca14fe5e634e0e4d03364c507acebfb1bac50960

SHA256
4b421272d5ff25fed5a84ba1e3b79c490ca7c4554957e6a9e4352784af36c85f

SHA512
0034f836a63b23ee1d4fb296e5b2f7506996e197d2788104f2807d8859500f8f3a1ba6c284d84262e9ad4e2cd3debd091bf4664c60b238831b0f09ecbd9aff14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0a50634aee808704e8740ee57bd80406

SHA1
ebc10cd884bb6b30776977377ad5ed28cd8d3128

SHA256
007e50fd80e6e55069dfadd00e886e5ee7c4d64edfb5655f424a51faae2dc2d5

SHA512
3b1cc9d71ff7bbb4efa82981c30ea695ad5066701d28d4cba515f10d82af488f9b89a80579cb4bc66996a2e497e75ce111b849730e171d0bfb2fe7e8d006b868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
605b6d852b6604132be1c1bdbf1a5896

SHA1
4692d1f661698427ba4c4af6988c8c1f933c56f9

SHA256
fab765ac8fd48b26ea7fae12b6d027a9a6ce21f4059df4012b874f04a52a458e

SHA512
472a63b6c97b4ee8b9f5dfbf237ecc0664b64a9a53548ed795efad09f84d8a01fb11203f302b22d3861db8c81810642e0f5811ada65a4ae053c9f90949f29091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70d19d88590df9a2cc203ca916c98562

SHA1
5aea6c64fb2b5f5dea8a973b7205b86463abc77f

SHA256
edd10ce0484b1d0c4dd02b95e5da57366ea88931ee239448d31036cd94dff4e1

SHA512
ece289b358b69a30b51c9f3e7529f4d3030986e1e730a14a2e3f881095e053f74bb2c60c0d52087e679c20282935c40067c3c5d70f7aab6263df3ea47caed60b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe595ae8.TMP

Filesize
704B

MD5
a0b039a31765009a82737428e943983e

SHA1
c5ee7fe416b89dccada13c8e453f93840bf4b627

SHA256
c9470b787a4eb7eb79898d28e18c55e31782b133984dc03e97ae76499870e1a5

SHA512
aadf36498a86cf24fd724a4d7afd8e5a08be367a01a354fd34aa31b9891a541d46eb39f1fefed7f6bc627bd2204696aca75ba7bf188877c151864fa0822c63f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ebfd8907281fbb2c9daa94ad1327d3f

SHA1
42fd0a61c7a9f5ca4806fdebf86f978d7b11bb3b

SHA256
c074e05ac3335fb1d43d6de7898ccc209dc1d5dcd644c183c73f1d2965dce77f

SHA512
f865652ac2e2b231878f6fb7808924c41b1ffc5e7ce72f83769b9d1f20e78fdbf118d6c316ff22c4eb82600fff16c0fe9f6d04c2770ac4ea5560aee95327701e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
900fcc36c80f4359a290ed8154b1ecf6

SHA1
4b650afc75cd33babef56c5aca9af757b29e6883

SHA256
38c129cc85e3abeed0d9ade5c2982bdf3c5866072b0c6da3f9466e29745f82c8

SHA512
faea9e70fdd2733d3e638fb5aed8a667306914a167be3828a358b3f3786c58826da40fc34ea5c924b4b12e0b3b70fd012c0e4d8f2c1af6891c71e2513158e09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fe3332119214e3bb5e52cb962a56c15c

SHA1
5a0818d5b40677d48bfae3221fb3b8559d202b01

SHA256
9a99cdb2f43998de60d6dcf3cad20b5491f89d7eff857fc513847b28fb883d26

SHA512
39f7a43610e3c755789339fb5d7e47d6a7f33183a57f87e63154a19b3b05d5f5a176cd7bd00b7d44f45fa08f99a869d647ef10479f6fd81c7bdba611b40df7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_566CEA45C5A84D53AAF4630FD0318604.dat

Filesize
940B

MD5
4c0cf994d83b39b62be8fd4671f1e4e7

SHA1
ced6977dbdefddb83c9b3264d9d6a516928758ff

SHA256
f8720717d55451885519d36ac80fe6f95cb01b2d6bb71d59ddc062167174ed67

SHA512
ca2d04d171acd5f5f2716a93494a7aaf44eb38c7ad43d8641b94e18c4922718b6b96c2f56c5f7eba6bc03ff79f81ae731c28d333ed78bd8fc7f227dcb2d3c3dc

Download Submit
C:\Users\Admin\Downloads\Executor.zip

Filesize
5.8MB

MD5
956e19b636b18bb0abac9466a97fc444

SHA1
4eeed55dbd88b17b31030f11786d11d63eaf97e4

SHA256
e80ce65e2875c14536961cac4fec8860e110e2549fd03323d227117bdb9340b5

SHA512
f04a620a75b6d6f290e0e25aaaac478294d99a76fd84202fcf937f11d931cd810c5b11ec2c646c8313035d092e96c521cb1ee50b0058039178fcd1261def5eae

Download Submit
C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat

Filesize
19B

MD5
6ba539a80c1ca6cc38677f419ae51d7d

SHA1
2f592e7d286d4af325b4062affc0ce74ab5842fc

SHA256
241d6b996f851c99018599915e80e40cf92f930190b6e23831ca4469e967e320

SHA512
6f1bc4a697c69d236dcfb88cbb9912b0d4d972b7c64f556a60ba448c11b0311be3e74f3ef1f38094b3ee6335210827db5f595913865f6762c8c83fceb0411656

Download Submit
memory/1120-228-0x000001F1A4100000-0x000001F1A4101000-memory.dmp

Filesize
4KB

Download
memory/1120-193-0x000001F19BC60000-0x000001F19BC70000-memory.dmp

Filesize
64KB

Download
memory/1120-209-0x000001F19BD60000-0x000001F19BD70000-memory.dmp

Filesize
64KB

Download
memory/1120-225-0x000001F1A40D0000-0x000001F1A40D1000-memory.dmp

Filesize
4KB

Download
memory/1120-227-0x000001F1A4100000-0x000001F1A4101000-memory.dmp

Filesize
4KB

Download
memory/1120-229-0x000001F1A4210000-0x000001F1A4211000-memory.dmp

Filesize
4KB

Download
memory/1944-186-0x00007FFD26480000-0x00007FFD26F41000-memory.dmp

Filesize
10.8MB

Download
memory/1944-188-0x00007FFD26480000-0x00007FFD26F41000-memory.dmp

Filesize
10.8MB

Download
memory/1944-189-0x000002AD9E4F0000-0x000002AD9E500000-memory.dmp

Filesize
64KB

Download
memory/5468-158-0x00007FFD26480000-0x00007FFD26F41000-memory.dmp

Filesize
10.8MB

Download
memory/5468-187-0x00007FFD26480000-0x00007FFD26F41000-memory.dmp

Filesize
10.8MB

Download
memory/5468-159-0x00000212A1C10000-0x00000212A1C20000-memory.dmp

Filesize
64KB

Download
memory/5888-146-0x000001B21F120000-0x000001B21F12E000-memory.dmp

Filesize
56KB

Download
memory/5888-151-0x000001B21F0C0000-0x000001B21F0D0000-memory.dmp

Filesize
64KB

Download
memory/5888-147-0x000001B21F0C0000-0x000001B21F0D0000-memory.dmp

Filesize
64KB

Download
memory/5888-183-0x000001B21F0C0000-0x000001B21F0D0000-memory.dmp

Filesize
64KB

Download
memory/5888-145-0x000001B21F580000-0x000001B21F62A000-memory.dmp

Filesize
680KB

Download
memory/5888-135-0x00007FFD26480000-0x00007FFD26F41000-memory.dmp

Filesize
10.8MB

Download
memory/5888-123-0x000001B21F950000-0x000001B21FE78000-memory.dmp

Filesize
5.2MB

Download
memory/5888-122-0x000001B21F0C0000-0x000001B21F0D0000-memory.dmp

Filesize
64KB

Download
memory/5888-121-0x00007FFD26480000-0x00007FFD26F41000-memory.dmp

Filesize
10.8MB

Download
memory/5888-120-0x000001B21F150000-0x000001B21F312000-memory.dmp

Filesize
1.8MB

Download
memory/5888-119-0x000001B204B30000-0x000001B204B48000-memory.dmp

Filesize
96KB

Download