discordrat | hxxps://mega[.]nz/file/ozkjTSJZ#fJ0Vh1Kci8EtKQMCQ_k_sw1UaRnrwmIoUAQJg1zpGrw

Analysis

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ozkjTSJZ#fJ0Vh1Kci8EtKQMCQ_k_sw1UaRnrwmIoUAQJg1zpGrw

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjMyOTc1MzA1NzY4OTcxNw.G2RyzH.lPU7ZMdJ4zfRkLH95jf-R422bjUb-BYiYsu2tg
server_id
1256329683432112240

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
780	LX Executor - FN,RBX,WAR.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
68	discord.com
69	discord.com
73	discord.com
88	discord.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 709078.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
4916	msedge.exe
4916	msedge.exe
3580	identity_helper.exe
3580	identity_helper.exe
1268	msedge.exe
1268	msedge.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2532	AUDIODG.EXE
Token: SeDebugPrivilege	780	LX Executor - FN,RBX,WAR.exe
Token: SeDebugPrivilege	3008	taskmgr.exe
Token: SeSystemProfilePrivilege	3008	taskmgr.exe
Token: SeCreateGlobalPrivilege	3008	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2632	4916	msedge.exe	83
PID 4916 wrote to memory of 2632	4916	msedge.exe	83
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 2564	4916	msedge.exe	84
PID 4916 wrote to memory of 468	4916	msedge.exe	85
PID 4916 wrote to memory of 468	4916	msedge.exe	85
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86
PID 4916 wrote to memory of 3212	4916	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ozkjTSJZ#fJ0Vh1Kci8EtKQMCQ_k_sw1UaRnrwmIoUAQJg1zpGrw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff457b46f8,0x7fff457b4708,0x7fff457b4718
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2984 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,8028597047235222945,11015163207434594115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c4 0x3e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:696

C:\Users\Admin\Downloads\LX Executor - FN,RBX,WAR.exe
"C:\Users\Admin\Downloads\LX Executor - FN,RBX,WAR.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3ffc8742109f81b4445144f6373a52c2

SHA1
791c93b18ab44ff6cdc6c8b80c3c0d563113e9f5

SHA256
32b287f3e8e5af6d48edf8fe57b6e2695fe95bb59dc13e02d9ef216e3819a7bf

SHA512
63f3eb03d3d356d408c2632fc436a4bbd8aeada76bc1f6251c1f90943745984f9f67430879451dfd4c77745e22a53a4f5f68e90340c46618b4ed36a9c9ef0135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a4dc83e9b22b040c2417ddcaf800379

SHA1
c4982646ed059f69825420d15441a803ad37ba74

SHA256
d3ba6bed9cce19d5c9da98fa7946d6b992f41493b6d0366f03ac67b9c63f43a0

SHA512
116422c60fc0073aa5273724f79acfa99ebdd8e07891020eb13e241c3874bcbe47aa0e4dbf6fca139d91f571955fe04bd5d8cee24396dd1d5e2e355721c2dac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78fce8c124d6a651ff747155e5a1d180

SHA1
6d5c57099c773a7aeada4377c631fc79cf74889b

SHA256
00487f4b00b0441c762680851450cfb133f5517b81266ded7260547d4b695cda

SHA512
44a3d45a7a0b75c2d03f7b6f8e52880c372178ecc282dece1d75c85c1ec7e6094cea53429de1ed989b40255fbe6a8a57f83a409bb19b899ce6c62696ed602132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
111bc6dd6e25fcbec08696ff282a5e43

SHA1
eac70e871ca1a224db80fed5e48ed5a5a5a4c0e0

SHA256
122bef027194082196fa2ca54cc521ee4d5f9065d7473d3c444f71e1d3f8dc56

SHA512
3c5dfc11dea45224767cdce650018695988f77c3f2d200c3bc2fc49996cb9f2d2dec6093a57b0690a217633a175e776750e8d583d72ada246fa34cfe80eeac71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579a4c.TMP

Filesize
48B

MD5
d700c1212e7c905199c7eb9ae0b35e8c

SHA1
3435321339a127158aa31b278e88539da2a8c973

SHA256
660db660899b4adf114219288c5b904326786964825c15344fb0b11e1f24feda

SHA512
d46cff9bd01b7d5c1945fd9896dc99defe791f94e4d178294a4e6e8c8abf98f43241fda845fd5f38f6ab9e84eb9bf9416dc90565dc9212bd49158235597f28cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cd3f5f7f-b48a-4c24-a2e8-672fa756baa9.tmp

Filesize
5KB

MD5
4f4dba68896332970af647a0d11fc69d

SHA1
ea5a6d3baf1777de5dc8d3343402ccfcde89bdba

SHA256
e52d4f0ed41b75815b66483a4d38f8aa96bb2532e7b764c2026e789e7a4a3cdb

SHA512
527ad21fa3f6878defcfe18b7e1f13e45e1dabbca8127c2452788c4e7658fc8c63ecc9de95555d5ced563369bf633f78b15aa1604b37623b7dce539849f98753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8372dd94672e41eb348ff643185c0b5d

SHA1
9c3ea79cddb131c470e6bbf894d33a454e81d48e

SHA256
dcd0ec943d8e5a8a627d7d3e4b05a60b15ee5cd7271a18fc71265f7f41fa143a

SHA512
a665d667f25fe6d617978d832e94a937f5e792d36e4223225c5205a7a332a6e9c3efad2fec8a6bbb3dcf8e2d5aa67228bb4e5c77c259397044f9b625a89dd6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
19c9168e927e239f95ce62a0e29ab9de

SHA1
a59d623703af5e82d92502db38ce26b6808c231c

SHA256
92416f2a4a716dd87c4adb42ee82af34295ed40eec143460b10f2b5e568d3270

SHA512
8ecce07f4e038c5bac9fc82d63203c06f6bced4d6b5fb27e2fd814d72bc18bf06cafb61fbcff4a39afe78991dbb9914389d930012381e8bbdf2faf5df22f4d8f

Download Submit
C:\Users\Admin\Downloads\LX Executor - FN,RBX,WAR.exe

Filesize
78KB

MD5
5a990fb404c61ad153c8004c94670f93

SHA1
10f8ac57cb952bd39dc87a4fcc5dc9ade06709b8

SHA256
30301c07c9b85a6afb1338b95ad67b0ea64d487a7b16555a32a164b3ef263da8

SHA512
bd02653fae4bf085452916d6a80dd0a72a99275c351773217e72dd3f13af993e82fc47956ddac33229013348b15b4dbb468d99c982d8376e82e58e9db565cf90

Download Submit
memory/780-226-0x0000020B43950000-0x0000020B43968000-memory.dmp

Filesize
96KB

Download
memory/780-228-0x0000020B5E770000-0x0000020B5EC98000-memory.dmp

Filesize
5.2MB

Download
memory/780-293-0x0000020B5E2F0000-0x0000020B5E39A000-memory.dmp

Filesize
680KB

Download
memory/780-227-0x0000020B5DF70000-0x0000020B5E132000-memory.dmp

Filesize
1.8MB

Download
memory/3008-285-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-287-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-286-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-277-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-284-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-283-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-282-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-281-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-276-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download
memory/3008-275-0x00000182B1060000-0x00000182B1061000-memory.dmp

Filesize
4KB

Download