hxxps://cdn[.]discordapp[.]com/attachments/1162561795836350564/1212999733283651604/TS[.]Desync69900[.]exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&

Resubmissions

08/04/2024, 22:39 UTC

240408-2lb2sshc51 8

08/04/2024, 22:36 UTC

240408-2jnb2sdg84 8

Analysis

max time kernel
99s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
08/04/2024, 22:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3648	TS.Desync69900.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 811813.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\TS.Desync69900.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4244	msedge.exe
4244	msedge.exe
1176	msedge.exe
1176	msedge.exe
3440	identity_helper.exe
3440	identity_helper.exe
2548	msedge.exe
2548	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3556	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1360	1176	msedge.exe	76
PID 1176 wrote to memory of 1360	1176	msedge.exe	76
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4144	1176	msedge.exe	77
PID 1176 wrote to memory of 4244	1176	msedge.exe	78
PID 1176 wrote to memory of 4244	1176	msedge.exe	78
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79
PID 1176 wrote to memory of 3316	1176	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffc032d3cb8,0x7ffc032d3cc8,0x7ffc032d3cd8
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4152
- C:\Users\Admin\Downloads\TS.Desync69900.exe
  "C:\Users\Admin\Downloads\TS.Desync69900.exe"
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:1100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2168

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3556

Network

DNS

cdn.discordapp.com

msedge.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.135.233
DNS

ctldl.windowsupdate.com

msedge.exe

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

wu.azureedge.net

wu.azureedge.net

IN CNAME

wu.ec.azureedge.net

wu.ec.azureedge.net

IN CNAME

bg.apr-52dd2-0503.edgecastdns.net

bg.apr-52dd2-0503.edgecastdns.net

IN CNAME

hlb.apr-52dd2-0.edgecastdns.net

hlb.apr-52dd2-0.edgecastdns.net

IN CNAME

cs11.wpc.v0cdn.net

cs11.wpc.v0cdn.net

IN A

93.184.221.240
DNS

233.134.159.162.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

233.134.159.162.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
GET

https://cdn.discordapp.com/attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&

msedge.exe

Remote address:

162.159.134.233:443

Request

GET /attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f& HTTP/2.0
host: cdn.discordapp.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Mon, 08 Apr 2024 22:37:08 GMT
content-type: application/x-msdos-program
content-length: 1533952
cf-ray: 8715bd80cb98dcf3-LHR
cf-cache-status: HIT
accept-ranges: bytes, bytes
age: 410738
cache-control: public, max-age=31536000
content-disposition: attachment; filename="TS.Desync69900.exe"
etag: "aaf1ba15541f90afc068bd08b2ddc456"
expires: Tue, 08 Apr 2025 22:37:08 GMT
last-modified: Fri, 01 Mar 2024 05:47:52 GMT
vary: Accept-Encoding
alt-svc: h3=":443"; ma=86400
x-goog-generation: 1709272072918624
x-goog-hash: crc32c=vKqdaQ==
x-goog-hash: md5=qvG6FVQfkK/AaL0Ist3EVg==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1533952
x-guploader-uploadid: ABPtcPoSFb5yMoVstLOC3ckWE0fV2FRSvfx_UERTM-prM6R3hLr6y6T7fkS-C09F-4GSq8d-k1E
x-robots-tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
set-cookie: __cf_bm=z2k60nGWPdrb631uHxGhCmAfBsfj2aQ5jPWTVs.yrug-1712615828-1.0.1.1-y.ncep.zdxzCG8ccViE2kFR7z_kvtgiTkbhu.RTNGFq.f9tDqfUhWB7jF.EAt.qqXa.wPlzOv.LjfE5TaZnCgQ; path=/; expires=Mon, 08-Apr-24 23:07:08 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19WciqGist8HuLNbZ6Q1m0%2BZ%2FDuHagayPuybauKISllYKf6A5Dh9T7n84Z5DfQthYPPqVkw97gcJHM4y3TbuZZuip9ZWKorrrjjLHdtu%2FwvboZlill33MT1nlTdpQuy7fhI9mw%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
set-cookie: _cfuvid=4lQtAQ3jTqUDY_wEsZ_bQoDSIgI_KTq4AVjF5L07qpc-1712615828624-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
server: cloudflare
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response

162.159.134.233:443

https://cdn.discordapp.com/attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&

tls, http2

msedge.exe

35.2kB
1.6MB
715
1154

HTTP Request

GET https://cdn.discordapp.com/attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&

HTTP Response

200

8.8.8.8:53

cdn.discordapp.com

dns

msedge.exe

279 B
716 B
4
4

DNS Request

cdn.discordapp.com

DNS Response

162.159.134.233

162.159.130.233

162.159.129.233

162.159.133.233

162.159.135.233

DNS Request

ctldl.windowsupdate.com

DNS Response

93.184.221.240

DNS Request

233.134.159.162.in-addr.arpa

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
224.0.0.251:5353

461 B
7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec7568123e3bee98a389e115698dffeb

SHA1
1542627dbcbaf7d93fcadb771191f18c2248238c

SHA256
5b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75

SHA512
4a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
d996adb4b3f42fb7d5530665cf885cbf

SHA1
61666e084f213e1b6aece3a9191b6bd1fcacfd42

SHA256
44f7e691c2c839616cca77341395292b1804d8268c09baa20704b20826f45f56

SHA512
0f731ddc1f60ccb2993e583310dfcfde53c94b6984aa01aba8ef80cc17313d654024c6a22619ffeb020a01d3f240b4cdc9c68cea9e0053a71618e1d59fe776fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6c78ac585214d41e9c65f7728d4d7bdd

SHA1
447a0dcb31be603cbea831770f2142d0bd0d5bb9

SHA256
c795e0480dac15b5f0e51095e7ce63cdf1df1db7c7edc4ee7aca0536a7456958

SHA512
d7aea2bec53003956ac681296109dd3ad9f99ec2ecd964e72dfe0092d6546d43a6c7e2b2bf3e714b35c2e94af6b299099ea4175ff66f6c8f5c847828da3e736b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1836792eac3ea8f3e05b533ba2db5b67

SHA1
2419f34b7a52ef66ce81700d4057fb1a65c52da9

SHA256
71d447f0b255f4848e153444b224e0068b9f47d57f5832307dfc6124b466bcb9

SHA512
4d598515219da976fa315ed1863b583c412d08474d65a3905727d93ae75aba48976d9c823df3fb26c2d3f34ae4e6a13e90dba75ccb71a1acbbdb6e877aaaaf36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cb17ef86373f1cf6105e8e0737a6faf9

SHA1
4bd61b82c5506a9fe0acd9494bac9ed0d5fdd90d

SHA256
93e854ad97190d71c536a52c7707a480f84f5b922fd948c16e7b5f27a848d586

SHA512
75b44480dd738323eb63112530488074fe55625ea90c73606dff5221036624399801216daf6629e19a3bb3696eff3d375ac60a7faf38964dbc29c8d30a4ba8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
0ba15f72ffb0a37243558588d3e78221

SHA1
814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0

SHA256
3d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a

SHA512
02b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7560fc9a05d2b83c3e62857556102201

SHA1
68b8f0441772f383f98fe6261d03d0330e9c0fe4

SHA256
003d15e69cd20e149a4da3cbd5ee4e4e11fb882e2ae9c7e99cbc64c68aa823c0

SHA512
4d85d3b08736c1e5bbeb6f3a27740c47094884fc25bbb6136648b7d6b7481cede9a65218587a817f06db983cf2e36e04d20933584ac4f011ed617fcc27547fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
295ba1afdcfb8603c8713554b1c347e5

SHA1
77fe6b02cf85379c5b1527b0a863531d0e6ade56

SHA256
ee322be3a38817a49ed95ddc13b977ff8f0c3c0d06418f6157f03c87aebe90c6

SHA512
11a5d42ded86463bfec04bdda4b9d0125816f519a091e49384bd293f6a487fc33bbf0d00038dbae4bcc643f91029f44f9a74201ce64cef7e47b86674bd82a4d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
e3b6a0110df2c31bfea0b9c962b5931d

SHA1
dd63409db214a27374a41e3e5966e3768e991488

SHA256
a32cf451972383871afd3a27103036c96f29848612e39436441e023fdd22c28d

SHA512
9e55495ac0c179cf30cc0b563958bda98e15dde4eeeb61f600a59a09ef3fbc8eec959bc7792f876bce43ac0e252f9b3a83360e503c1cf012d795243a21134161

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
3c0b1b1f6326a3e62d45ca5721f8ff7d

SHA1
7eb8620130617d3efaab96ee505d1cfa3252e4b6

SHA256
f5dad65983772d2e7732adf38262d3ebd1ec0bc0fa8b284fc37c0be671496d69

SHA512
802b390c1888f9192a6256c399aef5602c0b7eed264355ee302206ec51c64d5d1bd60743f213572c2f946cc03ed873fe614988f4e583c0ba563ca705f75399dd

Download Submit
C:\Users\Admin\Downloads\TS.Desync69900.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 811813.crdownload

Filesize
1.5MB

MD5
aaf1ba15541f90afc068bd08b2ddc456

SHA1
a6add5aae8cc0eeda7d0d5417ab978608d9e7a6f

SHA256
3ae209c4dc4c7b42db3e1fc3081e302b30c346cba789e5a0aa6f1be26d775779

SHA512
cac7b4526133680a2bd8f9ec3cdc3dc72d928798f5e9d997793a8796cadef1f30f02e87e1bc09acaac9cce6458cf903a788f9a042f877d562f6e56038463086e

Download Submit
memory/3648-99-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3648-101-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3648-100-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/3648-98-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/3648-97-0x0000000005B30000-0x00000000060D6000-memory.dmp

Filesize
5.6MB

Download
memory/3648-142-0x0000000074A50000-0x0000000075201000-memory.dmp

Filesize
7.7MB

Download
memory/3648-143-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3648-144-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3648-160-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3648-95-0x0000000074A50000-0x0000000075201000-memory.dmp

Filesize
7.7MB

Download
memory/3648-96-0x0000000000900000-0x0000000000A7C000-memory.dmp

Filesize
1.5MB

Download
memory/3648-188-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.