Analysis
-
max time kernel
102s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-06-2024 14:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/6YiFME
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
https://gofile.io/d/6YiFME
Resource
win11-20240611-en
Errors
General
-
Target
https://gofile.io/d/6YiFME
Malware Config
Extracted
discordrat
-
discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
-
server_id
1250682422434074634
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs
flow ioc 23 discord.com 33 discord.com 49 discord.com 73 discord.com 89 discord.com 98 discord.com 4 discord.com 43 discord.com 82 discord.com 84 discord.com 86 discord.com 88 discord.com 25 discord.com 27 discord.com 94 discord.com 95 discord.com 68 discord.com 79 discord.com 90 discord.com 92 discord.com 96 discord.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "225" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\zip.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4196 msedge.exe 4196 msedge.exe 3460 msedge.exe 3460 msedge.exe 2508 msedge.exe 2508 msedge.exe 2892 identity_helper.exe 2892 identity_helper.exe 224 msedge.exe 224 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 4680 compiler.exe Token: SeDebugPrivilege 3808 compiler.exe Token: SeDebugPrivilege 4676 compiler.exe Token: SeDebugPrivilege 2148 compiler.exe Token: SeDebugPrivilege 2084 compiler.exe Token: SeDebugPrivilege 1596 compiler.exe Token: SeDebugPrivilege 3116 compiler.exe Token: SeDebugPrivilege 1164 compiler.exe Token: SeDebugPrivilege 2384 compiler.exe Token: SeDebugPrivilege 4640 compiler.exe Token: SeDebugPrivilege 5204 compiler.exe Token: SeDebugPrivilege 5284 compiler.exe Token: SeDebugPrivilege 5376 compiler.exe Token: SeDebugPrivilege 5456 compiler.exe Token: SeDebugPrivilege 5556 compiler.exe Token: SeDebugPrivilege 5644 compiler.exe Token: SeDebugPrivilege 5740 compiler.exe Token: SeDebugPrivilege 5832 compiler.exe Token: SeDebugPrivilege 5924 compiler.exe Token: SeDebugPrivilege 6016 compiler.exe Token: SeDebugPrivilege 6104 compiler.exe Token: SeDebugPrivilege 6156 compiler.exe Token: SeDebugPrivilege 6248 compiler.exe Token: SeDebugPrivilege 6340 compiler.exe Token: SeDebugPrivilege 6436 compiler.exe Token: SeDebugPrivilege 6528 compiler.exe Token: SeDebugPrivilege 6616 compiler.exe Token: SeDebugPrivilege 6712 compiler.exe Token: SeDebugPrivilege 6796 compiler.exe Token: SeDebugPrivilege 6876 compiler.exe Token: SeDebugPrivilege 6976 compiler.exe Token: SeDebugPrivilege 7084 compiler.exe Token: SeDebugPrivilege 6320 compiler.exe Token: SeDebugPrivilege 7176 compiler.exe Token: SeDebugPrivilege 7260 compiler.exe Token: SeDebugPrivilege 7356 compiler.exe Token: SeDebugPrivilege 7448 compiler.exe Token: SeDebugPrivilege 7584 compiler.exe Token: SeDebugPrivilege 7676 compiler.exe Token: SeDebugPrivilege 7776 compiler.exe Token: SeDebugPrivilege 7920 compiler.exe Token: SeDebugPrivilege 8160 compiler.exe Token: SeDebugPrivilege 7200 compiler.exe Token: SeDebugPrivilege 6432 compiler.exe Token: SeDebugPrivilege 6872 compiler.exe Token: SeDebugPrivilege 8068 compiler.exe Token: SeDebugPrivilege 3916 compiler.exe Token: SeShutdownPrivilege 7056 shutdown.exe Token: SeRemoteShutdownPrivilege 7056 shutdown.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe 3460 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 760 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3460 wrote to memory of 1404 3460 msedge.exe 78 PID 3460 wrote to memory of 1404 3460 msedge.exe 78 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4564 3460 msedge.exe 80 PID 3460 wrote to memory of 4196 3460 msedge.exe 81 PID 3460 wrote to memory of 4196 3460 msedge.exe 81 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82 PID 3460 wrote to memory of 2248 3460 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/6YiFME1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9400c3cb8,0x7ff9400c3cc8,0x7ff9400c3cd82⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:12⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:12⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:8544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:8516
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3368
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:800
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1500
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5204
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5284
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5376
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5644
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5832
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5924
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6016
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6104
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6156
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6248
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6340
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6436
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6528
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6616
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6712
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6796
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6876
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6976
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7084
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6320
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7176
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7260
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7356
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7448
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7584
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7676
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7776
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7920
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8160
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7200
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6432
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6872
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8068 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:7056
-
-
C:\Users\Admin\Desktop\cdumper\compiler.exe"C:\Users\Admin\Desktop\cdumper\compiler.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59a91b6dd57fc9c4880d34e9e7c6b760f
SHA177a09da6ef4343a8b232386e000cd2d6b9fc30a3
SHA2560170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a
SHA5129fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f
-
Filesize
152B
MD5bbfb66ff6f5e565ac00d12dbb0f4113d
SHA18ee31313329123750487278afb3192d106752f17
SHA256165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754
SHA5128ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD55ab85f642f4509231d8398e512b3f9e8
SHA1146aef5498a37b4db1fd82eb6270536993c2f571
SHA256dd6c2854c264784911eb3c9c077f4ca4810bc6865fdd9bc94228408c002792b1
SHA5128a6b78fcafec6d9d193ddfda5ddc69bda5133ab6cfe13d09316a73077c94c2c6829c96fcbf718f02c0a66508ca79c88fab83f36d7bed8f9b0fdeab6242d9cc05
-
Filesize
317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
Filesize
5KB
MD5880c5d440f74b2649646e5b047776c3a
SHA10582f1f4e1ea64100f680374befe122027734f9e
SHA2565da67da6896ef260a85ea4a4342d21bb328de799d03173dbe56975f443629d9d
SHA5121e759bfa2af22ad10fce78dcd33f132390265970fbc95b7fa1dc10d62c4e88f9c42736cbbd5e986da708ac15d2606ecbb2a863376286098746e0d63bf7593452
-
Filesize
6KB
MD5925bfbcb570a4dca1c3b50c8627b7e79
SHA13ab3a9b806afac0b80f18e4ab594a9d02fa3407b
SHA25655832bb5228d06c7617917a42c2d29070a4369aa0512e1bf0b87b543e5947186
SHA512e39d07c22a8bf38df336a46bc481695beb394cd2081ce6b1a453de35317fcd1dd7dddb1c9807b3c3f2f71a0f6651e0fe02c65c94c0af168425442dd7e1d88ea2
-
Filesize
6KB
MD54ede657dfd8f9fe996c01616e95edd35
SHA1e6a9479c93f97dbf2fb33e87b0dfee8b6c894e01
SHA2564e46d910cee714948edcca8759f8dfed3fa8b962eba4cdb1e4118d16eec21ba5
SHA51208b5a495fed600fb8df1a750dee20dfc2535f302bfba49a04de923b8135e3e4fc3f679a2da03e141020f6d3e41f4d1955d7ed0517873a4bec665bae88c965c60
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5c1824dbd0bfd2fbf2acf213529dc44d3
SHA1740c847b7d2e26ae2e037882a8a2fa9c50f8df6c
SHA256209c1a3c37689abeb91e2f13bb58a5807bb5bb6dcbe361004dc66e547a87a821
SHA512fda79bf8e8253c5368f6e3cb84a865498d001aeb521315fc3b301a8beb07af93c0118683ee3d65b9a25ac1957d1f7f4841531d466bb923f0fa667b75975de645
-
Filesize
11KB
MD5b4acbafe86a757bc430de1ea056a1529
SHA17d1b89fa33ac058204446d068c9bb9f8c3238b23
SHA256311dc9ab220ece9e2f28521923bcb8ca0d839d9c122c145479c2273804938837
SHA512f0b89e214b2ffbc2a910affb78610e5794feec68ee24ea8ef609dc96e3face22202ab12861cff510cba97d946f85b11699614118257b7520fc22b31610e1c196
-
Filesize
29KB
MD5b05c33e2ae171f3931ca355e4820cf62
SHA18f4ae9550a75fa1cf46b282b03cdb4f809e4ffc6
SHA25674b6089379acff9803a37c3b5e8bc86c5877a319c4ced5a714ff9c9c63905188
SHA512fafa0f20f07d20bf99304a087d27bb478c630f4e74aac8969a150cacb89120a8cdcd726a98110088cd5b8352e56b8afa19811445eb5ce6b9598dacaa5ca79766
-
Filesize
150B
MD52b73e0bea5f60700411a84162a62a592
SHA12c789e985eec15f0add6bc8c58b95f77e2dcae59
SHA2565dfa34e9167a49fe7d961f1226cdf07f01294aa2580bd440161bb18ec9842c10
SHA512fbe3751fa405083a426dcf58f7fa21f1bccb6565bfd3f387503cde70c7e655d156dddc3bc7497a80ee8498d4b70d5d29befc4e9751b178cb3b1253e9b91aea14