discordrat | hxxps://filetransfer[.]io/data-package/FJGQEiJW#link

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filetransfer.io/data-package/FJGQEiJW#link

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNzA3NzI2Njc5OTEzMjc5NA.G6xQaE.4zXFoh6BPZlAIhLi46DSS2BaJjbxuU5eXQ1tP8
server_id
1190067527355744316

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
123	discord.com
124	discord.com
128	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{1B0236C7-D84A-4177-9C18-ACE2A65F7B0B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
3036	msedge.exe
3036	msedge.exe
3048	identity_helper.exe
3048	identity_helper.exe
4140	msedge.exe
4140	msedge.exe
4896	msedge.exe
4896	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	build.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2244	3036	msedge.exe	83
PID 3036 wrote to memory of 2244	3036	msedge.exe	83
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 3676	3036	msedge.exe	84
PID 3036 wrote to memory of 4660	3036	msedge.exe	85
PID 3036 wrote to memory of 4660	3036	msedge.exe	85
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86
PID 3036 wrote to memory of 2624	3036	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filetransfer.io/data-package/FJGQEiJW#link
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff983bf46f8,0x7ff983bf4708,0x7ff983bf4718
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4272 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1384 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8385456508325783757,334918196485612889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Executor.zip\Main\RUN_ME.bat" "
1⤵
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Executor\Main\RUN_ME.bat" "
1⤵
PID:4556
- C:\Users\Admin\Downloads\Executor\Main\build.exe
  build.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e7a2f8c1f5060dd8cf5d8207dd763efc

SHA1
a46f9c6f594318e2f5f090ac1ee0f103cb8ea41e

SHA256
d3e159f669fb03317ea6d73ea69735db06ba75deed81d48a368430fd64d11b62

SHA512
d0effda3c3f63d183be5adb28d9dabdfa04274488ce54f4553d5a343ac6b1e6a57e81790fc4ef582610bab526779fcebca7979e06c6f3ebf95ac9ff0dd5267ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9b6ec6f7e47b228fe2c7d3a6a17645b3

SHA1
44236ab839dbcb048eaf2176e1995a926af37132

SHA256
af1d155a8f8b6b2265c8ab61c1b10bb0bfba6b61599201a613817157d9792340

SHA512
95b360280ee5bc4086a1315b6d7873888be300febb960fed3217f379cc44b37312d823b1896d428a2cb6ffb0aee26c11b1b6e650e3b167c1a1987689228e5387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6cbceeda0f6c10ec84303bc86e87bd97

SHA1
0fc955f50d651c5f83e9237e049c3ca95fb0dd20

SHA256
ac3179a85648628a514a733294a9007cbf6a45b9a7441bd28ee4ebd1e36b527b

SHA512
64289e3b68c9d8030fcadfbb0a0dd1be174fd4b8c74f880d124115e4e197bf3f198a18d1772431a42e1954d90120eeed6335dae2b933f06b778bb05b9ca71775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbc8adb93fd04bdd0ccb85247a574d8f

SHA1
e8087d506cfc04f1ba48875eb8f25fd7a19710e8

SHA256
2f0f73ae09b69aa0c57cbe83a0494ec1c35c2f5b2d9f0becb234ee2523b983a8

SHA512
203b76fdffb1b28bb37739d347f13a0352f00911021709ae0186fd574114a7b38ccde89f03a35aaca476269faf7e4fb893123dda9670a6d54513d74478dcc178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0180beca5af39cc2ac16b73186128ca

SHA1
05a7299320c2d5250912c5c99349d9a7141f5e4b

SHA256
ebc498033d52e5391f77b28b6721b6ed3617eea16e41491c4695bdc2b90b9b5a

SHA512
ad4846f0b41f72a9d041a4f4e3d461787b3164065475b975718c194f0b7537a7fee47107aa1e4fbeccd60a99227159eb810ed2fc0875a9c9a155b71e1a45671b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a8556deaed14c336f40b06ad108ed6c6

SHA1
e6265f2d30b940c26874f8a5bf88813a0b4c9e3a

SHA256
0e87035f74eef9fce2a8c6547835c92a1a7c78b85f0a0bb9360fce285df80d24

SHA512
d58f3d9f21c8d0fbf6ee1fe14042b3d76ee618fb01b7bfcf8115e749080fffe01ba9e88015024223c596af13b462c40f46fb3fdd9217e2b9024b825f08899227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a728a54e42bafbb6c53832fbbca06567

SHA1
46ad50b1bb8ba6d9f076193b703746b5ad0c6f89

SHA256
634dcb344b3e7c847068f09df9ad5bd8115621bfb20a44dd4d834f9de53bae4e

SHA512
5fd11c88cd0756169634db807d26f7e9ce807971ff9524cad9a7e0e434112b99d9e7335aac50d17aa3cff0c70b76e9e940da9b13993ec0a5bbfebcefbb2cb812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
824260e50d52048814410354e2ea799a

SHA1
42042b555de071e3c9e0a7fde63abbddcf68cf6f

SHA256
b6fd6ba566ee57078a3df8f06c32e003f17674fa1b06977ff80fdeff268bae4b

SHA512
3737f8edfe481e4e94231a8851c575aa190e2eca0ff36a3a9f0cbaf2826cd62baee21b7cb130ac84405751d201fa6e9bbb1d0b90c1395f93ebdcc04cbe09ff32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2b0c2fa2c2c1aeff86a5ed58768d74f3

SHA1
17e8977a4482e431a104500fe20a72ef367eeab2

SHA256
2f8f3f33116a22064e0cbdbaf2b6ef72ac49c3d38f1cce8c5544b12d1621686a

SHA512
4eb76b8afbceb6c4b6834b50b1ed4137026a92b9f4b0525db2166626290a1429362cb6fcac9f43759e3f32b0b895b4674a4ff8d012755aefe9869b115e6922a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8ec62a1dcc768d8839102fb6a6d4c25

SHA1
4fa971aff938642dd23163fc3a30a81774a1271d

SHA256
8fc5597b92c7e526d5f3baffa193fd99e0d4272e9d9a59932e47129b0cb61d16

SHA512
1dec7ccd61d3e451e5180a374e9c3b0f44fd74c16b058b35e5b4a6e80c686b4b3b1deadf2ad19d49bd06da919f32164e50f024a0a38c46da7adb3ed9bf39b4f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1764b3de6aa0c137fd4884302f0bcda

SHA1
1385e120df213276afc18a05c8e82e5b8c477e95

SHA256
69bcd4b686391686dbfa625d6fc147dceb0f1e4fb31ef47a13fb0b2919dca04e

SHA512
f5530bac77576cf88ca0ccafa552c8b74300b3ca4643aa95273ce2b81316b4238183b8f125eaaa3b6be393a66068c9282d53b6a37d2c21bcfcbda09ec04ac32b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f462.TMP

Filesize
704B

MD5
886d56d708f92cf3e11bcfa494562cfc

SHA1
2ca34a3e8869de2051071169be77aa9ee1cc8c68

SHA256
f8b81f412dd175c4f527838bbfabcab754d686c318a381dde8368dfd69665e65

SHA512
e81e1433b0487724cd3ece7883dd690111800518b4ee813093c2e75e5571049f580ec75c7b94a2fd411db326a98977697ae15f0ed17ad3ead628f62f058ef67d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bd5fcdd9-2368-4a4b-b2af-6e5c164d9a8e.tmp

Filesize
1KB

MD5
5a7098a2358dbf909b48d3472e7df0d1

SHA1
0932ec152ef96c8f2a33b11b164a491d0aee754f

SHA256
f5737cab81ebc5560350d63eb49efbccd1e2f0b69a1681576d8107f5ebe916ff

SHA512
fcc82243e4399a1de6d1a9da960c5b7e12a27175ecd877881f8e64e5cbce7152f67bd9df49f9492f64bfc62a5db197d2245699c3794f7ed422b5ac63090d28ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7ac66d042d0c19b6a422f72e9a44da16

SHA1
4843860abebfd3185890ccbac1b8d82ae559cb41

SHA256
86b84e8b48a49a64ed18b7201cb18cb721b46e9e5e2b8087a256e5c467196e01

SHA512
330af2bdd6b7cc3885e03991321c5377f7cd79c73451705ba224e7b3d857f924448681e84cdd8fb795ce0c73a70d515d98f2fd6b49bbc2dcf90ff781a9609480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
75eb579a835a8265482fa345a38c7113

SHA1
598daedd564590abae81d454fcb2c4bda82ccf48

SHA256
95ffde093f65591d499f9364ba90b17d191b1a94730d0db9f5a4a83e4f4136d1

SHA512
797e5de07758d2aeed4ed7afc554808fa58ddd9eadf2faaeded4a04c1f38796e8dfa72c00ab319c5e5d2082091853b43766acf10236934c031519e91b9c82326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b9b1cc4541c2043e74e280f0554cf27f

SHA1
eab0229868141bc340e281163e4eadd2bdd06243

SHA256
61e1e0718f99350351b3d1922558153d637639da7409528615e6876e3741d309

SHA512
3ca532d870efa72656a25f5d95f1094c9306f8d2e20d934e95d8dbde7e9481b0f97c9537c576c6eacfa0e05f1aea4a2b99ebfb3fbb04172e2d3bb2d63df42816

Download Submit
C:\Users\Admin\Downloads\Executor.zip

Filesize
5.8MB

MD5
8a6daae5b930ad9e5b9d022cff5e7123

SHA1
291e04fd17af8bdd16c90a855ae5b664b8c07531

SHA256
3b675a52dfa1c46e2ab9d8632161e52727b2028d67c676ee801d34fe6550aab7

SHA512
bc30bcdd9398d19a57d67b5db78fc33171dd378c3602439960ec8d039f072754f3c6ff85203563c208803646d04f153ce2492ee00f67cd81f2af0cc8416d03ae

Download Submit
memory/2896-287-0x000002254D9F0000-0x000002254DBB2000-memory.dmp

Filesize
1.8MB

Download
memory/2896-322-0x00007FF96FED0000-0x00007FF970991000-memory.dmp

Filesize
10.8MB

Download
memory/2896-290-0x000002254E1F0000-0x000002254E718000-memory.dmp

Filesize
5.2MB

Download
memory/2896-289-0x00000225337B0000-0x00000225337C0000-memory.dmp

Filesize
64KB

Download
memory/2896-288-0x00007FF96FED0000-0x00007FF970991000-memory.dmp

Filesize
10.8MB

Download
memory/2896-286-0x00000225333F0000-0x0000022533408000-memory.dmp

Filesize
96KB

Download