Analysis
-
max time kernel
1680s -
max time network
1685s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 14:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1239648177007624202/1242214561080410272/DiscordGiftCodeBruteForcer.exe?ex=6673ea36&is=667298b6&hm=d55c63c88970cfcfd5a735244186b2092697930472b18d830c8f4baa0adfa9d3&
Resource
win10v2004-20240611-en
General
-
Target
https://cdn.discordapp.com/attachments/1239648177007624202/1242214561080410272/DiscordGiftCodeBruteForcer.exe?ex=6673ea36&is=667298b6&hm=d55c63c88970cfcfd5a735244186b2092697930472b18d830c8f4baa0adfa9d3&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
DiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exepid process 5024 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5656 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5772 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 640 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe -
Loads dropped DLL 52 IoCs
Processes:
DiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exepid process 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5324 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5812 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 5700 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe 2772 DiscordGiftCodeBruteForcer.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 488287.crdownload pyinstaller -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 488287.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 5864 NOTEPAD.EXE 1744 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 4112 msedge.exe 4112 msedge.exe 1012 msedge.exe 1012 msedge.exe 3944 identity_helper.exe 3944 identity_helper.exe 4364 msedge.exe 4364 msedge.exe 6068 msedge.exe 6068 msedge.exe 6068 msedge.exe 6068 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
DiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exesvchost.exeDiscordGiftCodeBruteForcer.exeDiscordGiftCodeBruteForcer.exedescription pid process Token: 35 5324 DiscordGiftCodeBruteForcer.exe Token: 35 5812 DiscordGiftCodeBruteForcer.exe Token: SeBackupPrivilege 4456 svchost.exe Token: SeRestorePrivilege 4456 svchost.exe Token: SeSecurityPrivilege 4456 svchost.exe Token: SeTakeOwnershipPrivilege 4456 svchost.exe Token: 35 4456 svchost.exe Token: 35 5700 DiscordGiftCodeBruteForcer.exe Token: 35 2772 DiscordGiftCodeBruteForcer.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
msedge.exepid process 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe 1012 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1012 wrote to memory of 2116 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 2116 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 760 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 4112 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 4112 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe PID 1012 wrote to memory of 5064 1012 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1239648177007624202/1242214561080410272/DiscordGiftCodeBruteForcer.exe?ex=6673ea36&is=667298b6&hm=d55c63c88970cfcfd5a735244186b2092697930472b18d830c8f4baa0adfa9d3&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbf60746f8,0x7ffbf6074708,0x7ffbf60747182⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:82⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3364 /prefetch:82⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 /prefetch:82⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
-
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"2⤵
- Executes dropped EXE
PID:5024 -
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:5464
-
-
-
-
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"2⤵
- Executes dropped EXE
PID:5656 -
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5812 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:5908
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,653485151118221077,1373149800118466476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵PID:5584
-
-
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"2⤵
- Executes dropped EXE
PID:5772 -
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5700
-
-
-
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"2⤵
- Executes dropped EXE
PID:640 -
C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"C:\Users\Admin\Downloads\DiscordGiftCodeBruteForcer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2772
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\proxies.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5864
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hits.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD532ad7669f64df152349e05fc84414cbc
SHA1f6f8057ca66abd2ea23b282d8bd6b25328152810
SHA256306aade45b64b6f6480a960b9b18dcd6da2388431ffc6b00d59d5351d10d04df
SHA512d06b02428b66bca3449db232a789f95d55ff970819f3d42860b0afcd911221c8f5304e94fbd9381a2408e6f4bcbde74e73f138d084e101b3cea2555f2396f4e8
-
Filesize
152B
MD5db9081c34e133c32d02f593df88f047a
SHA1a0da007c14fd0591091924edc44bee90456700c6
SHA256c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA51212f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744
-
Filesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD5d0b7db5fe61ee106820eca8d0f6a2b11
SHA1925a4943fd69e0f828fd2e0497e5ac6166d6ac39
SHA256f5c69bd686db1f681cf153b3df95a820d8a5cfe29508537ba7fe6a6b75df8042
SHA512c953b9a714fdb1d392d3440699fa60f274b2deaeb32520f04db2b9f147e934e3d5bbf2c5758f034778bd152d208c835fa78757f2662874a41d8eece5cb889c6d
-
Filesize
6KB
MD528a8e9abaca2a3b29ededabfad6267b3
SHA1510ee7e30b51b32f345bee03dcd85e4b806fafe4
SHA2561b15959a8f1c84c928d8ba262af5a738ba1c4250573d7ac9c1ddc369279744a8
SHA512bee4760118b483e09cfa9d0acf0f2fc19016af2aca8c60b4d3cdf59b4c60c3b184c2ca632e5021b742f6589e4c3d4f2aaba0572fad2b4a978b9ecc82a546d83b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57e44a97d1e4d061cc91d3a5e14917d32
SHA163d1af472dd64302685abf744e324fd336f92a1b
SHA256cfb9837f5a6336fc78a83079176338a29b758f322598beb067c0dc5a4b0bb3de
SHA512eb96805d186f3bd47b47451929bd2f3728bfe49ce43ef9617cbd20903c53058cb0f0b87b398e394bdddf7a83d5ffc137c9504f35417e4c340b53f601ff6e94fd
-
Filesize
12KB
MD5a0d6f2d0c7949487619ead737e11b0ad
SHA159daa32611af3d234082e30a9e1bda50dfd44b4b
SHA2567cbeb327ee267c994672b280dfed0868680177e49f8f29a1b6f26f061abfc856
SHA512316205a4c011e9f6265698397bab0d8b80754d5bf2291611beb2f9b7ccea76b307e85890596371c1e635618581666c0c9ef8fef41a1b695a64cdd85d42d5ad73
-
Filesize
11KB
MD54698c5cbd02778ad9af9896ce3c7c33e
SHA12449a68bf739eba59b55082cfe1955ba75d7483a
SHA2568b9b5a2adba8ed29fc16cbd826ed38d3ea709a1700a6c11e56aa67c477a15126
SHA512d4e81cf3351e3d2fd7efef3a793078c8900bb0e9ff10803d669918b5848194675b4fc18fa47cc9c3ebb778605029855b876624d2621edf3592f43190b30db8c1
-
Filesize
1KB
MD5b4f99cb5db04feee991937c3d0561de2
SHA155e5e7982a4f3a4596a132001bee409e5f42a4b2
SHA2560ce2b4dec822694d469c40d331829083ab1f9203e09db329cda2de7c01a68469
SHA512b80e5b317ff54269d61eb43dd45e645f1271f49f58b9347e32edc5f0905f5eba84818fdb3648127b5e650f46e5b97fd287cc11337a2b0d7dde5feeab4fc0748c
-
Filesize
85KB
MD5edf9d5c18111d82cf10ec99f6afa6b47
SHA1d247f5b9d4d3061e3d421e0e623595aa40d9493c
SHA256d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb
SHA512bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf
-
Filesize
92KB
MD56e22d22c5edb0327d58a62a16d2633e8
SHA18564b7bed2e1b4f256dd96d26e7415d778285c54
SHA256319b0a8417f2d95a96b23ef6746ac02865059072214a1b3b9e3ef8c4096e38b7
SHA5121efbf211c3af3e6a2eab9e1799f82138d1dc6518044a49fbf9e296bab92c4c4b69948d8834e7c68422bf4982abcda8fddb2de9cdc50bb66b90e0a58a1bc2519e
-
Filesize
167KB
MD567906bd5a2a22579d94e60d671b978ac
SHA103d8833f41d5d6ab5c7846ce04cbf93eff17e751
SHA2567c6c476147e5c48645aab10afd4474a153b37d9ca243f456f84e9ef215b490c0
SHA51247242101219573a0470bac9fa35765be89ffedfe4ba0fc3cbe13ee6fcc231e6a92c7ab7204ec82fe9ac25e9325b361bbe4df9a0f58ce6d0b2641ffe3684f774e
-
Filesize
128KB
MD5f5d2650f9226d17671ca10c453b0fb9b
SHA1e47e33a740e65ac29e7f779128967fe25be19869
SHA2569e79b96f69cd2fb0da753359699431e922d6f3d68a073b7e86b7d57dce221617
SHA512d90c6ff9cda0a9e25c8512ac62db044e63730591de334f14422b7ec543882675bcc51092992f44304c55fd5a7433d75426fb21845ee061b7053f7bfc3317a073
-
Filesize
1.6MB
MD5571f6da010e273428c3b20cd98e4f3f2
SHA18b7df1c7f150c44a32c38c9497d9b0d86576d17d
SHA256b3937480942b42b591453826fe5600e4af08a60c56e5c960ee91c05e3c10a770
SHA512c4b30709a4ada16df89f4b4e6504b38f7d8de1da6bd64f4728bdc4627f447eca311e82c1fe826c39001fe799259975ac2e41b05847681cc37a2346d78080e88e
-
Filesize
248KB
MD5083b382d8f5b11ba384965349787a661
SHA1b1f16395d9eadb0921530edee7dcf279ff6db3a2
SHA256792c63be95ffa45d699403399ff0bbae87fbf1699103978cf7f2e93e9f91784a
SHA5122df67d680fa529c85636d164b0a401fb3ae0afbec8a263c6db71f68050aea033d2a4ca1cb1f3eb003b06497a9b4d6de8f9400c4cd3bec6308718b4db8e5a1fad
-
Filesize
72KB
MD5066722e8118f2b864b92826eea77d6c9
SHA1f9da490850ff04882863ca20f745e7f1f8e3ba39
SHA256573854cd21c2514c138a167aec4d4334c6e1658c37ca779d8b907f596f127c24
SHA5123719644b243cdfd4fe568e1d1f6494a2db8de963da2075e47d86102e4ecc180256e030bc39abe5ba120990d6b04151655200d7d21cb42ccf891e7f72a2f8d9c0
-
Filesize
2.0MB
MD51f20676f86cafd39263fb36e77175833
SHA1757dad47b44b270d51f32f619f0362a7e5fe3b51
SHA2567f7b7f4ed7eefd2cd2db15a5c36042bcb95f76af8c29d834d49d36b12a4beb60
SHA512e30373c5924e9c8ec8f418bf871251fbdc34cabcf7a33aa0b5f721f7923f4144e0febf9a9b3c83684f2899dd7fe7dae077bfc44bf96db53d083845d2ca20d970
-
Filesize
752KB
MD545c2980781a10d22d5212d9a942311a0
SHA17d4121369cf859ea4394ebefea4a888fc8264b27
SHA256bf61051bb15c99f8bedb99b107a870e7caf0848452868a633e8b3812dc1ad390
SHA512808e35766f605439eaa1944dbbafddcbe707b93cc824b480c2719b3aff52bb2abd445b10f944a79641cc847bc6182a3d9188d2c18c9feb898979924b60375fe4
-
C:\Users\Admin\AppData\Local\Temp\_MEI50242\cryptography\hazmat\bindings\_constant_time.cp36-win_amd64.pyd
Filesize12KB
MD5eaaebf3d22e1dd483d6e8b7009f0fb13
SHA1b4c1ed0bdd683e03849312822c626489ca0d3ccc
SHA25697f9f16a2b799288c51a698620ebd39a5a4d65509bc3a12784f80763623c822b
SHA512247dd56112cc5789a5a391d037b81c128adec27618d53902a040efdc68869fccf31440ba0b7e69b0c305e82880fd630aae2c895dc0afe5425e48ac51972bea46
-
C:\Users\Admin\AppData\Local\Temp\_MEI50242\cryptography\hazmat\bindings\_openssl.cp36-win_amd64.pyd
Filesize2.9MB
MD56ed5a5101b7e4c0ec64786f1506915c7
SHA1c9df61f2d46d8cb4be237c5092fc6cdfe950853d
SHA2561e89f6a6925e97a91cf3c1b3e4721cc1289fe145824ade042acfce94e5f3f1ec
SHA5126f9deeb2639da24272a9218ba6b4ced6f8dd8234b5fa68c1eec34225e7f3138239fa1406af3bc97dd5b8470aa0d45b569fcf1a352a4ffa291254d5b0b1213a75
-
Filesize
3.4MB
MD55ad92cd8ea4f899ad63d2cb442099737
SHA17889e4ff08389053e3d434742df023ebd2767cf1
SHA2565d76cd4d993b02c8cb8bba34d03ad9be1698e26b3cdb51a4c13a637558b4a68c
SHA512aa90b57c066a6b15276b7a1842a168d7ce471b08c71756a1a9fafba3e1c2ecfd007d8ce996ac611e2822ee614029a975ff5ad3126b9fad2ce321fbced563dbbb
-
Filesize
26KB
MD5b35525165a7d2d4340a583de73719571
SHA1b5ae07d461e91ccbc2ecbd3ce74c90f6d3757f3c
SHA256f407806704d6fac51554d581e078344b089013e7c2fa3dbf4440246a498a82c3
SHA51240af07025de6f3569c2466c3d146e14443e3f00f1c21ac302e8f685b6b73abdaad0d1178a8d867230e3635337136e0f7b2bdb04fa50224b21aceccb5e1bb0a2f
-
Filesize
885KB
MD53a6da8ace7fe6c708b58fffce1d4e93c
SHA17ddb16a5988485d5e8eca20f1890827895937a83
SHA2561c421c15e69508d1036ce5a670360b988cea16abc4f2a8e069ba877fa917aef7
SHA512da163f5daf9e0faea1ca0c428a8f902afde341ce5793c83cc0a10086170b21b3385fc570c0fabf2c0dec7cb929b7b465872c9db33f149a75cf4ab80bde69dba3
-
Filesize
7.9MB
MD51dd5d71552b8ec78b9056be86119e9c4
SHA1b54998ef726b9840eb71227f68896ef52a3d1a09
SHA256d44023ff21143bdb829f1098fba8371d2b41098b7a0277f7103e4f77540f9c34
SHA5123b996fbf0412e2792ddf6d37e39078351e9451529e37f7cc9be1a0d9c53c6435557cb0a5255ebea592ffe604bdb30ffc108aa2e1e90b9452043d3921f67a4a23
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e