Analysis

  • max time kernel
    102s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-06-2024 14:33

Errors

Reason
Machine shutdown

General

  • Target

    https://gofile.io/d/6YiFME

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU

  • server_id

    1250682422434074634

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/6YiFME
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9400c3cb8,0x7ff9400c3cc8,0x7ff9400c3cd8
      2⤵
        PID:1404
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:4564
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4196
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
          2⤵
            PID:2248
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
            2⤵
              PID:3716
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
              2⤵
                PID:2240
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
                2⤵
                  PID:3900
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2508
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2892
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
                  2⤵
                    PID:1364
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                    2⤵
                      PID:4980
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
                      2⤵
                        PID:3904
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
                        2⤵
                          PID:1372
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
                          2⤵
                            PID:4488
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                            2⤵
                              PID:912
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
                              2⤵
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:224
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
                              2⤵
                                PID:8544
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
                                2⤵
                                  PID:8516
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3368
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:800
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:1500
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4680
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3808
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4676
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2148
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2084
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1596
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3116
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1164
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2384
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4640
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5204
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5284
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5376
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5456
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5556
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5644
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5740
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5832
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5924
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6016
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6104
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6156
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6248
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6340
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6436
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6528
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6616
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6712
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6796
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6876
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6976
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7084
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6320
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7176
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7260
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7356
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7448
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7584
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7676
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7776
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7920
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:8160
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7200
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6432
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6872
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:8068
                                      • C:\Windows\System32\shutdown.exe
                                        "C:\Windows\System32\shutdown.exe" /s /t 0
                                        2⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:7056
                                    • C:\Users\Admin\Desktop\cdumper\compiler.exe
                                      "C:\Users\Admin\Desktop\cdumper\compiler.exe"
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3916
                                    • C:\Windows\system32\LogonUI.exe
                                      "LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d
                                      1⤵
                                      • Modifies data under HKEY_USERS
                                      • Suspicious use of SetWindowsHookEx
                                      PID:760

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      9a91b6dd57fc9c4880d34e9e7c6b760f

                                      SHA1

                                      77a09da6ef4343a8b232386e000cd2d6b9fc30a3

                                      SHA256

                                      0170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a

                                      SHA512

                                      9fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      bbfb66ff6f5e565ac00d12dbb0f4113d

                                      SHA1

                                      8ee31313329123750487278afb3192d106752f17

                                      SHA256

                                      165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754

                                      SHA512

                                      8ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      288B

                                      MD5

                                      5ab85f642f4509231d8398e512b3f9e8

                                      SHA1

                                      146aef5498a37b4db1fd82eb6270536993c2f571

                                      SHA256

                                      dd6c2854c264784911eb3c9c077f4ca4810bc6865fdd9bc94228408c002792b1

                                      SHA512

                                      8a6b78fcafec6d9d193ddfda5ddc69bda5133ab6cfe13d09316a73077c94c2c6829c96fcbf718f02c0a66508ca79c88fab83f36d7bed8f9b0fdeab6242d9cc05

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      317B

                                      MD5

                                      afc6cddd7e64d81e52b729d09f227107

                                      SHA1

                                      ad0d3740f4b66de83db8862911c07dc91928d2f6

                                      SHA256

                                      b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

                                      SHA512

                                      844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      880c5d440f74b2649646e5b047776c3a

                                      SHA1

                                      0582f1f4e1ea64100f680374befe122027734f9e

                                      SHA256

                                      5da67da6896ef260a85ea4a4342d21bb328de799d03173dbe56975f443629d9d

                                      SHA512

                                      1e759bfa2af22ad10fce78dcd33f132390265970fbc95b7fa1dc10d62c4e88f9c42736cbbd5e986da708ac15d2606ecbb2a863376286098746e0d63bf7593452

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      925bfbcb570a4dca1c3b50c8627b7e79

                                      SHA1

                                      3ab3a9b806afac0b80f18e4ab594a9d02fa3407b

                                      SHA256

                                      55832bb5228d06c7617917a42c2d29070a4369aa0512e1bf0b87b543e5947186

                                      SHA512

                                      e39d07c22a8bf38df336a46bc481695beb394cd2081ce6b1a453de35317fcd1dd7dddb1c9807b3c3f2f71a0f6651e0fe02c65c94c0af168425442dd7e1d88ea2

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      4ede657dfd8f9fe996c01616e95edd35

                                      SHA1

                                      e6a9479c93f97dbf2fb33e87b0dfee8b6c894e01

                                      SHA256

                                      4e46d910cee714948edcca8759f8dfed3fa8b962eba4cdb1e4118d16eec21ba5

                                      SHA512

                                      08b5a495fed600fb8df1a750dee20dfc2535f302bfba49a04de923b8135e3e4fc3f679a2da03e141020f6d3e41f4d1955d7ed0517873a4bec665bae88c965c60

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      c1824dbd0bfd2fbf2acf213529dc44d3

                                      SHA1

                                      740c847b7d2e26ae2e037882a8a2fa9c50f8df6c

                                      SHA256

                                      209c1a3c37689abeb91e2f13bb58a5807bb5bb6dcbe361004dc66e547a87a821

                                      SHA512

                                      fda79bf8e8253c5368f6e3cb84a865498d001aeb521315fc3b301a8beb07af93c0118683ee3d65b9a25ac1957d1f7f4841531d466bb923f0fa667b75975de645

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      b4acbafe86a757bc430de1ea056a1529

                                      SHA1

                                      7d1b89fa33ac058204446d068c9bb9f8c3238b23

                                      SHA256

                                      311dc9ab220ece9e2f28521923bcb8ca0d839d9c122c145479c2273804938837

                                      SHA512

                                      f0b89e214b2ffbc2a910affb78610e5794feec68ee24ea8ef609dc96e3face22202ab12861cff510cba97d946f85b11699614118257b7520fc22b31610e1c196

                                    • C:\Users\Admin\Downloads\zip.zip

                                      Filesize

                                      29KB

                                      MD5

                                      b05c33e2ae171f3931ca355e4820cf62

                                      SHA1

                                      8f4ae9550a75fa1cf46b282b03cdb4f809e4ffc6

                                      SHA256

                                      74b6089379acff9803a37c3b5e8bc86c5877a319c4ced5a714ff9c9c63905188

                                      SHA512

                                      fafa0f20f07d20bf99304a087d27bb478c630f4e74aac8969a150cacb89120a8cdcd726a98110088cd5b8352e56b8afa19811445eb5ce6b9598dacaa5ca79766

                                    • C:\Users\Admin\Downloads\zip.zip:Zone.Identifier

                                      Filesize

                                      150B

                                      MD5

                                      2b73e0bea5f60700411a84162a62a592

                                      SHA1

                                      2c789e985eec15f0add6bc8c58b95f77e2dcae59

                                      SHA256

                                      5dfa34e9167a49fe7d961f1226cdf07f01294aa2580bd440161bb18ec9842c10

                                      SHA512

                                      fbe3751fa405083a426dcf58f7fa21f1bccb6565bfd3f387503cde70c7e655d156dddc3bc7497a80ee8498d4b70d5d29befc4e9751b178cb3b1253e9b91aea14

                                    • memory/4680-148-0x0000019E005F0000-0x0000019E00608000-memory.dmp

                                      Filesize

                                      96KB

                                    • memory/4680-149-0x0000019E1ACF0000-0x0000019E1AEB2000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/4680-150-0x0000019E1B540000-0x0000019E1BA68000-memory.dmp

                                      Filesize

                                      5.2MB