hxxps://cdn[.]discordapp[.]com/attachments/1237104294763692134/1261757771574153327/Hacks[.]rar?ex=66941eff&is=6692cd7f&hm=dbd56cf684266c4f5a3f1b436465f7b14b38b0895658bd803f5486d4e29879e6&

Analysis

max time kernel
72s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1237104294763692134/1261757771574153327/Hacks.rar?ex=66941eff&is=6692cd7f&hm=dbd56cf684266c4f5a3f1b436465f7b14b38b0895658bd803f5486d4e29879e6&

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1204	client.exe

Loads dropped DLL 9 IoCs

pid	Process
1204	client.exe
1204	client.exe
1204	client.exe
1204	client.exe
1204	client.exe
1204	client.exe
1204	client.exe
1204	client.exe
1204	client.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Hacks\autorun.inf	7zG.exe
File created	C:\Users\Admin\Downloads\Hacks\autorun.inf	7zG.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3976	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
4316	msedge.exe
4316	msedge.exe
3348	identity_helper.exe
3348	identity_helper.exe
3628	msedge.exe
3628	msedge.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3560	7zG.exe
Token: 35	3560	7zG.exe
Token: SeSecurityPrivilege	3560	7zG.exe
Token: SeSecurityPrivilege	3560	7zG.exe
Token: SeDebugPrivilege	4596	taskmgr.exe
Token: SeSystemProfilePrivilege	4596	taskmgr.exe
Token: SeCreateGlobalPrivilege	4596	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
3560	7zG.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1256	4316	msedge.exe	83
PID 4316 wrote to memory of 1256	4316	msedge.exe	83
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 4456	4316	msedge.exe	84
PID 4316 wrote to memory of 3268	4316	msedge.exe	85
PID 4316 wrote to memory of 3268	4316	msedge.exe	85
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86
PID 4316 wrote to memory of 3296	4316	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1237104294763692134/1261757771574153327/Hacks.rar?ex=66941eff&is=6692cd7f&hm=dbd56cf684266c4f5a3f1b436465f7b14b38b0895658bd803f5486d4e29879e6&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdea6446f8,0x7ffdea644708,0x7ffdea644718
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,5907174379061755448,16149140606765458964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4892

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Hacks\" -spe -an -ai#7zMap16020:72:7zEvent14330
1⤵
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3560

C:\Users\Admin\Downloads\Hacks\client.exe
"C:\Users\Admin\Downloads\Hacks\client.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Hacks\frozen_application_license.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3976

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5cecc907-a1db-434d-89e2-e1fcb80d8b4f.tmp

Filesize
6KB

MD5
51289bc7ac1ccf4f9e1c730cbc13ea70

SHA1
58bf308852393c3010d330013bef14af948c26b0

SHA256
c408f0bf0c13d74fd454a2f02cabbcf1cf514a01a377eff6116cbb9fcd558d26

SHA512
4a8167dc574ef7d7084d8623239e1aad68bf2e0712674dc9bfb0177788f4bfa53e400db030f79c095ad1a1b0f979303ad5fd0d17a3bccf53f728eeffd90617c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f31e0460054bb6330116af2870bfba9

SHA1
10ca8c11523c7d6a6da3632a39b2b42b05414ca0

SHA256
ef625e699d653a79914d13c8f5931932806dccbc8f3cf780aa1ea8fc5c44f680

SHA512
a3c80970a192b40f4d797cfd5e4a2e4caee7f7e7e7613a738d5b9185168a7d4beb27a28c8020d1b74f2eb7593df678cdebeaff6915cafcfed32fa7e562461201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
62e6021d76467acd48151507f90bbf48

SHA1
ec183e0d7338aa33e6c6fc42726c7fe6b838b80b

SHA256
bfb5d067abe0e4c13f48b598a96794d76de6933ef260e06c6728e3ae975ac05f

SHA512
345c709bebec7f18bd7374247f8c29dbf0ac4ebfdfda351d2f5e2a8496becccb27e228a7e9299ba3f8d4014a68b9dd2e830dd15b61b4b736558f26570fc343a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
65855aeea1efa1eaff0456b5d0e8e5ef

SHA1
0691f260959bf356ad44b38b90ec726b6c0408d9

SHA256
6747bdd0ded74becbbeb985b074070b6f9917ac9ebffd1fac08d2774c7eedc7c

SHA512
e547b1068fe3ae39e481357015bd368a8bba7ecaab8fb94faf091efa518ae83aad3d6494d1ec27ae554f9aa31d95de51edcc2ef9a0afe0f5445dd0b8d32394bc

Download Submit
C:\Users\Admin\Downloads\Hacks.rar

Filesize
5.8MB

MD5
32804cc5fd2b1c945fa33561a5b530f4

SHA1
5d5374f4ceafcf768116c3c29149e5ea87b1a61f

SHA256
71adf1aeff9d3942a7cdb8dc577dbbcec7813e5d94d1d6d42d4cd33606fea655

SHA512
3328cfa8ead5614b9f2b0453dabf23a2f39521db9dbe3d825ad12d7d339aeb498f2412ea02d64db43024d18b26e4e62ac9820df94fa21e679ea8f6f819a6e7ad

Download Submit
C:\Users\Admin\Downloads\Hacks\client.exe

Filesize
19KB

MD5
4891230c95613384985864e1c35465df

SHA1
54120bb1230f9de9d2de421b9384ade1c626db9c

SHA256
128cbad939359b513a52c013fc3650a3a23460476e35f41ceea877a60e9e3461

SHA512
0d26419f382ffb0954f15de20e48bbce118e8792eb0e8a7037ca2229fe582f31df7c5e15039f3ae11eb3708f046c0f75fb3f1432034dda2f1d7fa1fe08089728

Download Submit
C:\Users\Admin\Downloads\Hacks\frozen_application_license.txt

Filesize
3KB

MD5
11b9c7a638b357c734c7ca99fbb2d183

SHA1
686431cef9bfa507d838568043c3bc1266171c6f

SHA256
99242cc0aba323639239707867438ef51a53937cfdcc411838adb0d2c638e4ca

SHA512
714b4036aed6f1804946494163e3e8faae4b8af7e02a56f02408fd0a820a07568bca51112e234b74bc8ed4b9af5c65fee79ab467f32cd28a4479ec82a5f2191f

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\_bz2.pyd

Filesize
82KB

MD5
afaa11704fda2ed686389080b6ffcb11

SHA1
9a9c83546c2e3b3ccf823e944d5fd07d22318a1b

SHA256
ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4

SHA512
de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\_ctypes.pyd

Filesize
121KB

MD5
78df76aa0ff8c17edc60376724d206cd

SHA1
9818bd514d3d0fc1749b2d5ef9e4d72d781b51dd

SHA256
b75560db79ba6fb56c393a4886eedd72e60df1e2f7f870fe2e356d08155f367b

SHA512
6189c1bd56db5b7a9806960bc27742d97d2794acebc32e0a5f634fe0ff863e1775dcf90224504d5e2920a1192a3c1511fb84d41d7a2b69c67d3bdfbab2f968fa

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\_lzma.pyd

Filesize
155KB

MD5
2ae2464bfcc442083424bc05ed9be7d2

SHA1
f64b100b59713e51d90d2e016b1fe573b6507b5d

SHA256
64ba475a28781dca81180a1b8722a81893704f8d8fac0b022c846fdcf95b15b9

SHA512
6c3acd3dcae733452ad68477417693af64a7d79558e8ec9f0581289903c2412e2f29195b90e396bfdcd765337a6dea9632e4b8d936ac39b1351cd593cb12ce27

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\_socket.pyd

Filesize
77KB

MD5
11b7936a5bd929cc76ac3f4f137b5236

SHA1
09cb712fa43dc008eb5185481a5080997aff82ab

SHA256
8956b11c07d08d289425e7240b8fa37841a27c435617dbbd02bfe3f9405f422b

SHA512
7b050df283a0ad4295a5be47b99d7361f49a3cfd20691e201c5da5349a9eb8f5710ab3a26a66d194567539660ed227411485f4edf2269567a55a6b8ccfd71096

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\collections\__init__.pyc

Filesize
76KB

MD5
56128c02fd08e8d61c4d3487779c0d55

SHA1
c4df70b02a65b758d225d8305761065546d0bbe1

SHA256
33081a2a4ab7b0fbaf32301d904433223741dbd71baaf8c180fe2bf9f39a2189

SHA512
6dee24a6316c81a6de39a38c5ed45964b4516feffc7cc50ea169f7001df1668297c1771a5f2ea44fc8021c4fbc8c3005adf5ee7f31589bdc7e30d2b736b2a39c

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\collections\abc.pyc

Filesize
331B

MD5
13a88860d989bdb3529d25387cf46f92

SHA1
48ef84c855192866fe44f0b41d5cb19799db5dd9

SHA256
a3987dc9c3520211ba4384ed975bf39351a292bc4d6f2bcbbf312062072e2ea2

SHA512
5f143357b8b0bd26c5f3c4694130d9efc57273126d07a899d9a5133d73e25e92fb483432c9de6b90229185f0c0afab30bbfea1d359e7137ca0707f6491636c68

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\ctypes\__init__.pyc

Filesize
26KB

MD5
3159d069ebf00061adee755c668ee032

SHA1
d3db137c7f15e1139b76a9c124017538a90814ca

SHA256
6ec3c8a5398d7cee6165c05decbbfa36b4ba763f695400a92cd426b7a8d62553

SHA512
1b21ba02b046c038d04ff0b57c261a1943335fb47edb5522f2fe23b362a69c69bd27e8792fcbdff7b1ff3b95a16a0acf6836cee358df54a4f81b2ef9d9eee267

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\ctypes\_endian.pyc

Filesize
3KB

MD5
dad6592bfb3e83df36e9e84fb889ae0e

SHA1
0e50bedca7c3c5d8bfa760cb797d85fef0f92767

SHA256
fac7b12d81ec56bc135118ecda40bd0193852a84433b047500b6290688eb74bf

SHA512
ca6b146ad25195e03f93c256c9ee79418b04d191552ecbe7a898de23968d50609d15559e903843c06cde91b3fd3d8af01c56053deb8dd29b61c76c8ddc740311

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\encodings\__init__.pyc

Filesize
6KB

MD5
ff6896429ef63819f9b9a40bae08709e

SHA1
c5cd37674be91a157426444b30c65ea24ea06a0a

SHA256
5f8c3ed56d01517308d8f00fbef6c7b85370016b3955149894647d1a815abdbc

SHA512
d9e5e3c04dbd03759cac627fab3e492cec670567cb7bd5bcb2ca9399208f81e3abffb6ef5f53cdddac5afc8d5202e270aeb5d99a0a23daeceda8999e41c26424

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\encodings\aliases.pyc

Filesize
12KB

MD5
3685f8397f7a231359b13fbbb2f02a04

SHA1
145e4fe46532076fd2d354ae5143c54070a73bbf

SHA256
d51a7f11cdd4c9d4f5f9a28817f4399b6b425b27f46c449fba71cf217ea7af62

SHA512
57629e48ed23728781330c3830a4756babc9e7818bfa2b9a45476dfcf47db2e3106956ffea3feecd9262e60a0aae27aacf1911c76a1ed5035ac2a3b29da15e3e

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\encodings\cp1252.pyc

Filesize
3KB

MD5
10c1208707ababca988a1b5e835bb06c

SHA1
2f9c075ca66d7ad2e283141d34da9b1c047638a3

SHA256
924fdaf396931dea8a3e03d979d8ce1782e4169896378bf45c56e0300032b6eb

SHA512
e2d2a93e62d9342231f695398f997c94462c518c6fca01bedb1b64a31e98d6bfaab603e006c99a05281b39ab0597c573972987707cb7429214da1588e75f8aea

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\encodings\utf_8.pyc

Filesize
2KB

MD5
09248bdfa957a637cf114ea07ac21651

SHA1
9e8c1e2bd3d713cc946f8022b85e466da2de8b56

SHA256
636677ccb53639459c2dca822164e752c374f70fd45ed466993defac750e920f

SHA512
cdf4e8f966f7909581fe3d282d483c3a83806caa3eacaf752300a69d67af78c039f0cb5bb77996c9ba5f15f1c3d18212bda1dad2bca74ce541586ce5981764a6

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\importlib\__init__.pyc

Filesize
6KB

MD5
286913e98133afa0c23fa40bd7f50618

SHA1
93ef9f03389e0ed9f9b99d4e9bdc25f5ff545bb5

SHA256
5f0763ef1bce9c9425f4c368eaf807ca51e3707ab572c1e7637edc307890902f

SHA512
882de22980264679f4a98342830cb36651a47f7cb28493a7265174f15a9190e11b6940139e045367f0ddd9b96f53987d4b96dee4868b9c175751dbf17445a60a

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\importlib\_abc.pyc

Filesize
2KB

MD5
93adecf645a822fd798f0da578ec980c

SHA1
f290a57aaae7c42b686d0674f19ab60019fc3a21

SHA256
e737e6cb17f01a7f8340851fee819f285155b7f3a8c674501c44d0d9d37f7b93

SHA512
ae71fa964fff7c4e1a0973631f7a6755145ce8bb619c9eaf15690a4d58df1feba8b0697b7e56a26101bc6d48bd2959924903af12d835e7a5c46b1d8011725f44

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\library.dat

Filesize
11B

MD5
12d737558481ffdec6d9fc90f1c64e10

SHA1
2d99fd826f22325c6715a6b9fabc64ffa56ba7c9

SHA256
1794a90e19985ee2dee89f9bdffac8dcb3676e2555db9469384493d14708aed5

SHA512
2c62c69718a41d011cb9a0bc436e874f967e4174094802e13142eaba4967e61a76ba06eeb3c6b4dd8c76dc4c41df6bd1e4397143f94aad03cc534d3084ee32d8

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\library.zip

Filesize
1.2MB

MD5
a1db051d143065dffe5702f371d7bcb1

SHA1
cee5c1da167e94aa46cb92fe747b7e62b4fd8c31

SHA256
63da280fcc5fbda3601ba9d26880c603a3945f69d6cd512eda4046128266330d

SHA512
e4b4324434ad32d081112971f8a11c3ee5e6c57f8fa30fc4b163c7f3ffb594acb65adcc95850cab4bd45b9dd6defa4b0ea7892c3277844cfcac61d536d5fb2b1

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\re\__init__.pyc

Filesize
18KB

MD5
21cefc4ce6a47151f84dfee5f9cff6d4

SHA1
9985ea8028681bbb56a17ca7edac356ea236f6c9

SHA256
7831cdb656d8a96f1e72612aa33a54514d4ea287f89ec1fc0bb2c439d9060b12

SHA512
315ed12bd5888b96684241511ff397f690695bfb835506a7a85510c47613a19eaf73bd63e40c480eb7bc834b01ffe1f2ef8f1b0b0d49e95327d48501ce8eec01

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\re\_casefix.pyc

Filesize
1KB

MD5
e4db920be527f80ab1e5cd0350cc13e5

SHA1
e98d9a531519867097ce047c363fb58401c96223

SHA256
edc5508f86ac2f63461ff511ba72fb722e589fa13a977d530e285e8321b6854f

SHA512
79ac5e1fe2493456f810f3d109a9c73c1182173356b6711cc6100e50df6345668096fd8e297be7da5144b512bc358d7970a42ba3463b93a456ef1e6c1896ecd4

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\re\_compiler.pyc

Filesize
31KB

MD5
6fc2a142abaaae5a1c0de601cf9c3e7c

SHA1
96d18e67b0070f0e3bfc408badf15695dd00ea7a

SHA256
b456f7b0df9571a6738ae3929f2469a249dcb5fc1f321eac9509e077e3ea1014

SHA512
0d217cb672f848bc85049d3be0d3c2cd614779944aa406946cc4122e0f53d5841cb5bb64529f277e102215a58ad6eda099502b2cde6daa7170dd36dfcef8c500

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\re\_constants.pyc

Filesize
5KB

MD5
6e236c9f0417514c614f81ca37478d0b

SHA1
cf77ae113ed010fa658cc23b8004cb9957b8ea4d

SHA256
9eb4a0280b22afbc37c50872c18a5ace74cd98b68a17f19eacb3f28020b8a978

SHA512
4df2c7e3d7e3b63000785326418fce20c99e5d80eb7976ce26781d27cb13a45a0d7aaa5c08c3bf1f8f67b4b1bc2c5701c73f90fb8f0f14a58aed005a158656f4

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\re\_parser.pyc

Filesize
49KB

MD5
3f7ec2873f9014d21d42c71743ecca0e

SHA1
e2a9af8ec3cf2f47ff679febeede1b096496e54b

SHA256
05d800599ebbfc9f843ec064dfc6e4fb9cca1774160dcfef11eacd920763f53c

SHA512
d94ae4c039a759757fbd3f17065c58b390c68f52f80007115cb73a50f757489e5064967272d66688ee48c64ccf69c7482e197a4fe3f4d85f424201d5dbd1bad9

Download Submit
C:\Users\Admin\Downloads\Hacks\lib\select.pyd

Filesize
29KB

MD5
0b55f18218f4c8f30105db9f179afb2c

SHA1
f1914831cf0a1af678970824f1c4438cc05f5587

SHA256
e7fe45baef9cee192c65fcfce1790ccb6f3f9b81e86df82c08f838e86275af02

SHA512
428ee25e99f882af5ad0dedf1ccdbeb1b4022ac286af23b209947a910bf02ae18a761f3152990c84397649702d8208fed269aa3e3a3c65770e21ee1eec064cc1

Download Submit
C:\Users\Admin\Downloads\Hacks\python3.dll

Filesize
65KB

MD5
ff319d24153238249adea18d8a3e54a7

SHA1
0474faa64826a48821b7a82ad256525aa9c5315e

SHA256
a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991

SHA512
0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

Download Submit
C:\Users\Admin\Downloads\Hacks\python311.dll

Filesize
5.5MB

MD5
86e0ad6ba8a9052d1729db2c015daf1c

SHA1
48112072903fff2ec5726cca19cc09e42d6384c7

SHA256
5ecda62f6fd2822355c560412f6d90be46a7f763f0ffeec9854177904632ac2d

SHA512
5d6e32f9ff90a9a584183dad1583aea2327b4aea32184b0ebbec3df41b0b833e6bb3cd40822dd64d1033125f52255812b17e4fa0add38fcda6bab1724dfaa2eb

Download Submit
memory/4596-525-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-526-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-527-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-533-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-532-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-537-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-536-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-535-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-534-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download
memory/4596-531-0x0000025793DF0000-0x0000025793DF1000-memory.dmp

Filesize
4KB

Download