discordrat | 7751eff004a2e39e4114762476fd1593128256bb9d953bed78d6bb049b8e5d77

Analysis

max time kernel
209s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 17:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

rpZJJ8Eb.html
Size

19KB
MD5

3c41b9eb842d25a55c0c896ea6126f70
SHA1

00fbd7772b12c91ea970b3b02399278e818507b7
SHA256

7751eff004a2e39e4114762476fd1593128256bb9d953bed78d6bb049b8e5d77
SHA512

768dfff2fc78e2e8eabcdeace2e980c727fb539a9709ee1734da0f86c6fc77a7f824dd6619467c183be20b5bead98a30e6f776a6270dbc796f7b35cd32632403
SSDEEP

384:ZbFVFR+7V8+7kbBkEPg9VqL+fGZzsg2RrgoAOnC0JqsTSpF6:ZR3R8VB7kbB949U+UsTSpF6

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MTg4MzU2MTkxNzg3NDI1Nw.GkWNk2.51TyK928OzXAWuMfCBw__cHbmMY6GwTTy3tGIg
server_id
1251222279690518670

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

samojamess.exeSamocar.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	samojamess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	Samocar.exe

Executes dropped EXE 3 IoCs

Processes:

samojamess.exeSamocar.exeEchomicbooster.exe

pid process

724 samojamess.exe
5716 Samocar.exe
2800 Echomicbooster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
724	samojamess.exe
5716	Samocar.exe
2800	Echomicbooster.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
363	discord.com
382	discord.com
392	discord.com
362	discord.com
390	raw.githubusercontent.com
369	discord.com
370	discord.com
381	discord.com
393	discord.com
56	pastebin.com
60	pastebin.com
367	discord.com
391	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 118804.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 118804.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1068	msedge.exe
1068	msedge.exe
3044	msedge.exe
3044	msedge.exe
1980	identity_helper.exe
1980	identity_helper.exe
6140	msedge.exe
6140	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

msedge.exe

pid	process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Echomicbooster.exe

description pid process

Token: SeDebugPrivilege 2800 Echomicbooster.exe
Token: SeShutdownPrivilege 2800 Echomicbooster.exe

description	pid	process
Token: SeDebugPrivilege	2800	Echomicbooster.exe
Token: SeShutdownPrivilege	2800	Echomicbooster.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3044 wrote to memory of 1288	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 1288	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 3600	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 1068	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 1068	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2128	3044	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\rpZJJ8Eb.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb319846f8,0x7ffb31984708,0x7ffb31984718
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8248 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8504 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8628 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8808 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8648 /prefetch:8
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7220 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6140
- C:\Users\Admin\Downloads\samojamess.exe
  "C:\Users\Admin\Downloads\samojamess.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Samocar.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Samocar.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echomicbooster.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echomicbooster.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5357519515074364838,17052665768987271014,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8240 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
62KB

MD5
42d9fcc7172456834d9e05605cfb999f

SHA1
d1df0982a953011482b7cc5e97803a5fae290ba7

SHA256
5029f1471e648ecdf5518199b5d7a6fdcf2dab7b9ba8367331b0836de3064575

SHA512
5fc471dfd6cf0516739b40db211b4f1e0d3e27e7b53eb1e0c8d34f7ddf5d09ff520bd4c3b7baca993857fd462f184621391fed363a548bc7b50eee3b7ef6ade8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
19KB

MD5
e78f9f9e3c27e7c593b4355a84d7f65a

SHA1
562ce4ba516712d05ed293f34385d18f7138c904

SHA256
75488ac5677083f252c43009f026c2ec023ac4da3e65c5d7a084742e32abce3d

SHA512
05f9fbbd59c286024b3ad49961c4e0eaa1abcf36ed29a1d07ea73d2b057075d46fbfdda56f135145f942bd0c3d48246c73be1771c21861eec4ddf8bbc365a286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
31KB

MD5
60140bc834da90837a9a4d1530484677

SHA1
d99868b0693b332681b4db7927f3f11b3ed37607

SHA256
29c0ba2fb11f5bbedff938e0d0a97da59f725cd153bc0c04f052419e779f134e

SHA512
448ddc49ab5128dfc0dc91ebe388d447e748848cd2f7dc15fe1fd0380a5436cc9872c32606d9d161d3648b20bff5eda0e48e8fb77c9293f3c0924ae89589eb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0c41f6f52e8c571d_0

Filesize
332KB

MD5
5c3b12608b677bb703c0871079fd88ff

SHA1
1b36b6492a7037f50ed9159363551e55082065c9

SHA256
c77349619bf188f354fec1b80eabdc4979fc0f09858359433d4ce8e4388191ab

SHA512
0acf9bd1345e6edc048ceee19242d84aa3a5b433e66dfd4f4fc98a075aa089cd8baf86b4f8f2638efa933f5830b9f6f0554448bcc8a714e53eceee2c41d4f5bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3c949d719cd125b5_0

Filesize
276B

MD5
e9f046edc3fd7b63260867eaf08ac580

SHA1
04f3e09d896bc6a8a4a3817b526cb8f0a8bea0e0

SHA256
efbde3b2deaca98a5d1fcfdad54860637fc45ebbe26978e4dc09083eee301b53

SHA512
2ecdf853d03a446bd9398eaf84efe864036426f0a2235a2f2b47092f67086aadf4db49e3489887fb0c379e40dc271f24226b5289815e4fba4fd1f3452b3738d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\57c4d0ce0b6cea04_0

Filesize
286B

MD5
8a381a92e13dee00b42f19c4a54374d1

SHA1
c010740eff69f75e80bb97711de7b9bc57af1c69

SHA256
a69fa8996c3b34a1b787b39b439e6d7ec54abea2b43139f60dd7b1a905c98d09

SHA512
727633e78d6e469d0e3d0400e5cb0f67d767cdefa67751362382c97aff309a287cd0d05ecfdd36ad5297e876078502a1963954d39d5527ceb0f1027c4a98df3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\816bd7ca7ec1f685_0

Filesize
141KB

MD5
1d1eed6f1ef959ae8520afb949f3cbe1

SHA1
30976cad5d2904c95cd05323d6d5fd3bbedc5f41

SHA256
cd82b8a8ed27b34c05a53aaa10e7604db4ee3fb3f68b10c05e9cc008b4008f37

SHA512
2c83d21f8b8e713ea7be0ca02743407572f11d839a5efbe128c3faba476e9b9c321f1aa65a5c1daabb8729bbe4813cc9f0171a9c875c6911602c5bbd855d6928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9d0814bfdb4bf5f3_0

Filesize
21KB

MD5
576b5f38a1d58662f287dec555b72d5f

SHA1
9e29eb9df4f87a12aba638e75f8710e02b6e748b

SHA256
5b464b311de446ce8ea5f3d60a7418722e03e84b5a2e9b6583edfae747102422

SHA512
90dfd947787ee96f37a7036267b4f0fd8ced4c2dd772390e3eba350b43adc6892ef1ca6b12721989e1d9c15cf569aef5daca796591cab2e57fef62933a4062de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c5cd11cec9ffdf22_0

Filesize
54KB

MD5
e57531c330786536df814de52829c9b4

SHA1
759cf6f38e452ca038445b2b818354735c813f52

SHA256
d0e054036296b9e9c84df7ccc1877788122cf419ae4e8e6ccba2b37c2ee1c31b

SHA512
f6983f952bf447a6e0f2791e7eecf8b3d0285d6aaf819e525c5a5a942db8ed3585bb94468bfc120a52d005958ff92b4aa0de6cae054d94f7bad78ef181b94159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cc9fe50e720ad078_0

Filesize
11KB

MD5
d9296c674cf159b117643fc90106d941

SHA1
c29ac779bd625628a1af68dc3f095d46c483fdd1

SHA256
5e2471089e7849fd1ef166574a6c6c93195d24e979752c62ea3b5aa5296a7a7c

SHA512
9842e73b6c037d35cdd6e65993b545c16fba3514d8d19d1a572f185090a1e25fe1cb4051a4bb52b73be1af3f5e27d6f2533438e3d65f293329273813ea44419c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
3ff119be44db34efe1ecc609a083ea1c

SHA1
a113ac20fce5738958e85867c3c5cf73ee9c0f0f

SHA256
8d76082879076f39780b9e304978a56de5d39cd91ed23ba6213f2d7d11c49fba

SHA512
699cb4ae1d7202de121aeba963011c8b891b6ce319d846ad9bc5acfa6266ba292053e363a969789ee87c25f8916981057cc0aaf3c6f5864a209696e9f08dc89f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
70803f054d53001d9baaa9a56a12adf1

SHA1
24946d7226442442076d7eb4207c1ed13a942fa5

SHA256
a70986b1b9766ea016b0fcea4beab490a167b727cf791ea6ed1fe85e576a9769

SHA512
6e9fa7a2ba5d82e9991d0e604851315b9760e6689fa1c6bf2c505a1621c98ff85f7202c42792a893d46f5a8ce1781b06e7ef8a1651154339644cc37353c80893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5870b62045da8543c5361ed31f99a147

SHA1
f13baa1831e17b4763db19b2b9a4f48e9f33cb5a

SHA256
eed047be1fc05153a312c4ae88dee124d2e1edcec6321c95adbfbfdb1d078f09

SHA512
51dac0478c1eb687b08dd53320c5f563ff87791de2590b35f9efea8f45ce46b3e95a29c9298262be44c2034e70859c8948d303fa7bd0aa8b09e9d629e1765750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000005.ldb

Filesize
44KB

MD5
4ba3595786ecc758642d632d424fb845

SHA1
fc9c5edd832e907a046b5dc4970931de5872efb3

SHA256
db39aeba54b63f046e7d5e941cfa8e84b1d92c0e29901d0988e3b62a491a1e00

SHA512
3b7765fc2da26eb9db3c1d6d588ea3cb0d13b2419106bb51660288b29dc7cd9a2bb6d1bb593aa8ef9affc26afa0da4695ac68d851ff3d26cdc3345871b77df9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
e0d06460b3e7ab208c7fa8218820d91b

SHA1
1bc9aa2cdbda5045721f98ee922c899a15a15fc8

SHA256
cf63a5a23cc89c8a78728829a21a9c056382ac17dbd1b8d75a3622a0e48587c9

SHA512
2b02b57211ab18e9adc9d9254c30e1e096903415de46b24e75fc9f5f6874cedd8076de0e0979f2800e33161f1b36c49bc395656ed0df2c2f4790f83da5340986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
383B

MD5
3003cf761bfb245d8235d159c36a5a50

SHA1
74e5e28bbfb6f618e755ed1724c779bf4d6bffc6

SHA256
1ef8381f0ffa85c9bcb863109990adc372b022beab8f27b95182ab28ba96a711

SHA512
8e3894c110c5c8fad3fb2a61a2535e8c623a122a273e1f2e3e518c1782c517d8eb247bde48c6396e3f125614d25fbb3549f44e9516c5e61a3ecbdc4cb01e0a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
5c2519b76deea96e8ab8bc236e3314f2

SHA1
bef196867925f7b8e8c34f2d04358b3ca90c9ead

SHA256
991a0ed3ffce8d140a7f259211690ea81e5746fcda17cde1e42c655403e6e76b

SHA512
f562d47b46474576c597553248d61fd1a4d6e3cd4ae4374c7b38012a9a19f6ecfdc8fd35eb6b18cf2ce6c52a03acc5ae74f49ff553a80e669abc2b955f956791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62083d876b4e787719772e2787f18edb

SHA1
405d70d1143cfc0356d7a1ca7de7b65aa81e1ec3

SHA256
9c504fa88e6de3ee21a149d609308a1f305cb1eca28d36b4bf1d2d69d3888134

SHA512
274b79bb538160096b760377d7289a2b6fc40b814e15f4f0cd018c12ed09d994b44dc1ee7f16bdbdb3bf52aa7af5bdca98dcd9e12f55735e570895ca7fe5e67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
01b921986e25aee999405e04e815f305

SHA1
18efc14bd1532a8a3132875a9ebae8b649024f4f

SHA256
693de0cf528de42a6d2cc54486c9847ea4b8d226f1fb8ef097c55df3542875e7

SHA512
2aa755c60366e448a0d79ed7eed1b950abbb0d3935ffff22f4fbb26feb70b357457a5fe6f35ff6c267d224b66075ea67880c081fa676eb41c61d06bf5f784086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8134577f4030c8fa72ce0c55f4579160

SHA1
b0cf704d6fa16616c72f11d4108588bbffeca975

SHA256
57971ea8ced768c0c079b67ca14139d40687c23f5bad21fbb90888f2f7a74376

SHA512
8298349bde95ea6caff9a91905919834419ebcfdaa31cd3787908ae1b870ec6efc740791754508cf99d27b194caf1de6e9cd5524127ad68edf68d7dd421e17e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
0ae5417ca6b81b1ba21d752d86c082be

SHA1
a58551ae4c2fbc0438be90956d8fad46d354488d

SHA256
7f4a24908fb4de2791943df63389a861dee7b31f0d76cd5ec5122a3bc0de0191

SHA512
beb913e080c9cc460a9a507b2742b334e0ecaf966e1bc7e7e22a52d42e8d6b0ffca1d49f9d722108b8e8a115bab63fa98066785af4ab30be861d4c5308f3e059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dbd00c1d34d347e9163b300b54928461

SHA1
93d02013fa7caf1155a58e42212b2d95663e2720

SHA256
ff9f427050d0f3714d2880b3908d30793889b1d043a7e23c1bbe1bdf1d9e6b58

SHA512
36d2bca0ded43f8a0f440cefa28fdffd5b07b0a694c774786278e1b0d49479320789b05ad21eaf26d39da6f5428507177ae19b303dfa2d1ea99ed703b66df886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
05d1e6b541e7e3d52f4e61af199ae37d

SHA1
cef817a87ca9994c2bc75f1b9cff49f502db32d8

SHA256
87d25919278182c77fc575bc43205e560664095184ad50db82332b3a3a185249

SHA512
fc5bb3d1b1fc7d1bbe97735a317ed43c71cea04b99dd753cf1af85b91cb6d59482904b0e6fb8e03a1c68ef386675e93efce594af7fed8879608b285689c56649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4a530b40ff6a3630d35970dbf3602ad8

SHA1
4d4879a097328c08ea75f10a8dfe8cb76dadf36a

SHA256
00abe44031a185be586c538ef742517a56e704a67aa29fda40499cd2c8ce423b

SHA512
c62465e9b38a2ad79eb1ad9f6a862deb6f6a34be8ee3fcf23190bb31e98a9e8cf312395df8b2f312c0a85817f658ae577ad7d2706f08464005a2f6e0817af846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cba41ed77cf6b1dcaf2d9d3aef8cdaed

SHA1
d0a79bbced53f8a99aea86b8b2e6b9e6b2382001

SHA256
22d11256657d7691c3b3e2ffe9b2f6163cd4dddff80f4421fceab87de483b85d

SHA512
317096c017a56edb4e89b614a79bae8fe6afe71c42252df42707bb1c0df7542b7eec87de066559a7bb660ff21469ae4b34674ea26da4d31f6d739c2ca173a093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b31f4a951713cbcb9ed00c16840db8a5

SHA1
f3b54b29aec1762fa9ee2b36dc124e6bc210d556

SHA256
803c284a26f2f4f78eefab4c243b7ac4db53d111561603ac1fb4d7eb841caa3f

SHA512
c10ebfe61e141ff21fb07b83c83dbc9577731e5fc00220a81295df3c4fbd827b80db600da6b1d06732aa177daa8a53546be4d23efe7b3dee1fc64e1560ffde55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589287.TMP

Filesize
203B

MD5
fdc6847a81421424ed3a84b0c58d18ff

SHA1
bdb91db10c265cb5fa0ab68acd3d10ee6b931ea4

SHA256
3bae2123cafed035c97429e8d45e755008347397042b248882fb5e3cceb03293

SHA512
15ea11448e45a783c33809adafe8c783f33e5fc16756ed9903bf02f5ed7b5d2452df325072c21f32bd3df623c64510325650cd559535589513e249909b7fd145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a2cbc1eb-8312-4b39-bd11-5ae06a11e305.tmp

Filesize
13KB

MD5
b497a60587b94f838b6320348f25ddc5

SHA1
5a9a249305155360ee1d8c42496c2fac91c2d4f1

SHA256
afc3334ad1432412fa2a0b3a364d243616946eeb0221fa17dc6646425395f6cd

SHA512
7239e71bbfb239e1644cd2b3b4ac6244b0555da66edb3362b46602b6badb2d59eb614356a5c981c12c7375a300ea6953b9a889ede51c0f6a9e44c42ba56e489b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
090adaf4d9dfbbbf83606ac4175c5069

SHA1
90762dc4d5ec301cbd781fcdaa9c843c69c74ec4

SHA256
d009c1ff033770f07d592640c659e5881f937c0d1a74542cb59a2c57c3b5a6fb

SHA512
476794d343cf6a7ae00a692003969db149a935e4e49f0cb49dada33e2a5c7e8c9a6df1e53a82c5eaf26f359693664af301b86e40b0b7c3597ba6658f8e5ef84c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1a6840a675ed0f34af3e9f3a393fa0ed

SHA1
552d6746af2a2bcef2d8309bb468a44d1431005a

SHA256
6953a10d47d2b713ebf7612280fe1fd828b2120d48b895eec16d1732cfbb049a

SHA512
73011cbbcef506a3a77c13acc90e741cd725909716a0a7f3e5fa6c4d182539383eaa407a6e69b9a7a27a694201e6d540950fbd684753b76fc5de37908cb4057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echomicbooster.exe

Filesize
78KB

MD5
55e51896036730dbc2d177cdc2e161c4

SHA1
be2a7de4335ee07b838878f8f595029ea0c6f4d0

SHA256
5cf5cff44116e13f59cf703bf82655fb9292e54e225deedcfb8c5bbe68f0cc23

SHA512
0f98199c661540309b45e9b0593a5d8a64371b3f60bff3f68c05e0f6e47aefa538193405688846bd4e3d0ff798d3476b0a09b14a4e9cb7cecc8e446cb44562da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Samocar.exe

Filesize
533KB

MD5
d226a6ec1e03842338b5132ee5543dc6

SHA1
d3014069af07ffe84a90a899c24988f26072c9e9

SHA256
cbd454dcea30a22c49253df5a8cc419a5849eaf46047f405759a1e1beababda3

SHA512
4433829570118abf2a398371bfb7f9d8b56379717632c907d6d91f9d58d308cde927021ac724fbc55ff17535fb7d4d0a57647f601216964f134c560db7a55f4d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 118804.crdownload

Filesize
844KB

MD5
c24e6942163415303be4f1400586c642

SHA1
a6b05d335fa74e76a1f6c2b58d281a0b3e460f94

SHA256
8c603818591ccbfce8c5b7c64e565012286b12878b8b5e604e1b9fe61877f4c7

SHA512
961ec3f9848be02e4109b2c7937e9b831ef07b030c3179a2462766100bffa2d3fe265e95424b12d4376361d133acab2c969de2103947c23a6943e4356ee56dfc

Download Submit
\??\pipe\LOCAL\crashpad_3044_YWPPBSLJGKBKGLBW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2800-432-0x000002D47EDC0000-0x000002D47F2E8000-memory.dmp

Filesize
5.2MB

Download
memory/2800-430-0x000002D47B200000-0x000002D47B218000-memory.dmp

Filesize
96KB

Download
memory/2800-501-0x000002D47EA10000-0x000002D47ECDA000-memory.dmp

Filesize
2.8MB

Download
memory/2800-431-0x000002D47DA40000-0x000002D47DC02000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads