hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/download/2[.]0/release[.]zip

Resubmissions

01-08-2024 07:51

240801-jqaqeszdqm 3

24-07-2024 09:26

240724-lehb8s1hld 10

Analysis

max time kernel
499s
max time network
502s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01-08-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1974522869-4251526421-3305193628-1000\{D4E2D489-DB5A-44CB-9B53-756A62438EDA}	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\release.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\a.htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\a (1).htm:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
1236	msedge.exe
1236	msedge.exe
2228	msedge.exe
2228	msedge.exe
4060	msedge.exe
4060	msedge.exe
4744	identity_helper.exe
4744	identity_helper.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2776	msedge.exe
2776	msedge.exe
1404	msedge.exe
1404	msedge.exe
3204	msedge.exe
3204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 5020	1236	msedge.exe	78
PID 1236 wrote to memory of 5020	1236	msedge.exe	78
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 2824	1236	msedge.exe	79
PID 1236 wrote to memory of 1408	1236	msedge.exe	80
PID 1236 wrote to memory of 1408	1236	msedge.exe	80
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81
PID 1236 wrote to memory of 1680	1236	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4e143cb8,0x7ffb4e143cc8,0x7ffb4e143cd8
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7080 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,8070278305771999483,11990265900314432169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b955e722604701611f125fb68f961ac

SHA1
cd0229bdf7a707e61b68c076be78554e293be793

SHA256
cf96dc0a7769526dd103f80138f017ddd6dc6a30d1160e46085a59cab5ced215

SHA512
7c9ccdfa973bac36d0ff115d1a747762a019b01b3f21d48462e68313efef1aa6cb2f50e40ef211e12b2297d364090227953a7e924ee249a1e5d083e2f72ed53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e35616ead296dfc20451e3f2ef0f1a6a

SHA1
cf5d4de230b9631f31e311ed196483af8d39f70b

SHA256
79e0d13391c5a17de396de145490cf013b2d21b35bbd02cbedff4f9c069fb0cc

SHA512
3395980a57ae64d74354c8fb86f6d373ee7ff00fbb6692ce1a0d2f108c3e8ed55e8eefbc986dff90fee28d808fe8ad47428c837a30ce38e6fc70c6743a63a911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
21KB

MD5
017975d305729c957b42440bb7cec4be

SHA1
4ecd64ae942d7994b18210b09e72b9a12c6ad7e3

SHA256
6c9f3f5cc1dfabd4377baced6215ed916ebeca530d76f5afebc7b18f3a6a8668

SHA512
216fb759fd6b7c18e738bf2eda55d316713d54a61fe7c925ef7d1dd82381d214a37bee7f3fdc9ca65c74585decf1a23441eddd6278decc9f4a178ae5252473ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
37KB

MD5
b55ea81a7b6f5e1657c7535e62f30414

SHA1
bf805e3e1b6235f0c6841890d1840216db0cc9a7

SHA256
aa8cbe99245455317fbef1b94bf3395666473a709fc008f21bb0444727ac13ff

SHA512
1b1ce12a2120bf0e587d89d1474791c8385cad118f7c2b791f07792e1a790444faa8bfdab38316a0e7deb40c45cfe7a91ee6b8b62d0f326d3e76103e4b4e7c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
37KB

MD5
14c460a1feda08e672355847ea03d569

SHA1
f1e46ac6abd71ebbcdd798455483c560a1980091

SHA256
d1161f067875a5f686c1732a442f340142c6a03244f4dd0bc0f967596f6cbe3f

SHA512
cfd6e743986ae5074e73264ee1f311fc00a987bdabeeafbf55f5dd6ef0794ccc393507be9dc7e38181f2f10897c300edc297976acd3fb72da2bf560ec260af91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
22KB

MD5
9ec8ba204f6c45d71c998a0ce1dd714e

SHA1
e6790bc2fc03148c9d9cc1b3a91f4c5df3d8295c

SHA256
a4daad6848500cbb261729ecded45a13e2f102d666cff8a0e2bf5991ea5e5c9a

SHA512
d30fe0c1f7589354e7b228a5ca4e522e198c6e7ed30186c54025e991c7dc9a324e1cfd243ed2009aed863c01c3b341ec88bd74aca019e13ad52f8dc2ff3c6ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
23KB

MD5
3ee08c0fc927f0d63dff408a360cbae8

SHA1
1ee602e9198cddf3b3c8914535dfb74e3db6fe00

SHA256
7fadc4712b1b0a5e8ec608255318ff021f3b6adc2115ffb084e96bd7b4924ced

SHA512
789bb803ca20d6e3b2e36a71442ff2305a5d96155ea73451a6279eb381cf9a62bbb192597fd8434ab93960e27d34d5829905d7692c78b2301275014e88caeecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c4f2da4e4b4dba36_0

Filesize
35KB

MD5
fec17020127012802f69221c4171eec1

SHA1
237bde4317deae59721c2b984b147f1336994085

SHA256
13b5d7ee9ef603c6fc6687659e2fc07cbfef258245b67508e5c907161c071902

SHA512
76d7421f91bcd318afc527650299750f68cd0dfbe1beb8bba0e5a045bcbd3e8f419d82346ecbbbfe5970b9dda05716950635074ddf3ec4c35dd18db5a147e362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
cd8e88a1eb9a5c8411c65a340597e5c7

SHA1
e626221c37b4e0bf7da7dd83da887f8877700d18

SHA256
5da1fcf2e584f74ccb67a86713a27560e327c735d7a0aeff04090124f5b2364a

SHA512
1c79a0f0dd1c0f10cf60f31e5fc3e76019a97712f8ad10a1dcf198788b1677d78c55273e3703489f70d103165124f794f3ecb4dd8cf498015ee5388a1bd2fa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ff421c213d02e973d69d5a6dbb3d168b

SHA1
98f56231aed96ed17621a0cd668d38e5307eefc9

SHA256
301e426d5cffcb278232f23ee668ec2d0d7f10e4511fb005a562a2343a9cb522

SHA512
99c29542e5ffafb2bf1ac5cc9f36190592520643ed718374bc24aaa0e47979dc85a5b0c61c6f4b9097ffd089201e085cdb649282d294bd27ddcd5f3014addc25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
0eb2a09a10150614cbc29fab0893e1d3

SHA1
968d7cc2e235d43f9b8114a6c45264e928b8e61f

SHA256
598c2e6e2376e2c8ad942c49d0cf6a8f8d75887f2beef0e6e4e5145432934667

SHA512
726134fc2e1ce34165e8cadb805b59e9e64d83a6c3bb3d5dbc6aff5a895207aeb1ef0d4e8933e473479b700aaf75ffd4601ee76b7b3b7aef31d2099cf24cee67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac7ec3c79855893875a219084c97b116

SHA1
dd15f7b8338ff0a89ad46fae688739c146480982

SHA256
ff633e2a4004b404e4bd7f47b1936c8062f16a4dd9b4a41d9bee05416f3cac6e

SHA512
0f28e08857054745adf49fbadf71eaa1801a23e13427f21006e66becedd029901b0e5269d0b9d302f3601e4790a067aa3ca2decd7aa96331ff08320069a4cbd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c27ba300d9cda951f93c9501d24c41a

SHA1
7066a7667cefe292332a5fb709376bd01f68c4b8

SHA256
7fdbabe02720830655c1c1800e4655a822bee73db2772d942a4ea3d60bd63c0f

SHA512
72b34193f2f22ffa17b51f136c51c6a2372cff56d70d4eb7ccd5a9f230e48cbca1cf86fed830a66f08a5645992001f5244afc86288478f28b73d25f48e7665d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b511bdfdb2ec0a65faa043d94078e89c

SHA1
349890d7b1cd453006876160a196fc1a5c9b3b38

SHA256
e561eb6db892100a62ed943afc1dbcbdd4867c6be3565f8e5c5575f3bc2d16aa

SHA512
dae7d6940e38efb1bb35019a35e6fcce986e78365d7ec11993924e7948ca4f1d60474d9072f93c7f97f792b4f14aabfad0541a89a535ae4a6b499de1094e17ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b1d177e05cd97e089da9c04822e522b

SHA1
ce181214682c4a82f9056bde89f46d8054b29abc

SHA256
eaae0082fdc58665484e31549e1913352bb8eb30573ff1ac46003f18da198225

SHA512
dd70a8c7cacc1eb7e9d07cb87c129dd8e0105629c21b87c6eed06e61631abcd68992a5db2ad468cf2ab24f9add954d57ba1cc650527a9116294cbe5bcea33001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69dbb7f8d055f5b9b1d60f17a5c88764

SHA1
ff8bfd5af12c3f2e3af1e3e0f40fc71fc162fadf

SHA256
36c72764ca198efa08b51afb6adfc5a3e3b0fb7bcc65028ffab52a70349dbf81

SHA512
856fd08d33dfe72b470fcab2d0998433505610dc9cd03f82dbccb8a9a58bb6aed1d9149e164e2cceb9bb527c062693965bf0003e4cd26bd6a09731c5f96eae4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6fa7ea411e2313bafb755e0e272a8973

SHA1
14a19c23943c0279dc81620f4ccab9d8439dc44f

SHA256
459ea9567c6651f134e0184a6d80dd5a40835143faad962a31edad3bcec006fe

SHA512
bfd978cff556b54ecff8741310dda2f24c62ed864e6f22fa40f5f931ae044e6c89d9c1f8b6233af822eead19f0aa88dce762d2feccc602f0101ad85f2f77ed20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a5e3077a5b6238eca53580797510f297

SHA1
7326be28abb5e99e8ef0366dc69319452c5f38d3

SHA256
10430fbfbfb2b874254688b5b2923db08d4de59ae65f59e2d8c697a5b0f9bb42

SHA512
5e36c36d6c2829b59410c68051a42f2bc7de57deffda23d9be6a2fb6cbc6a35b8b7227e1bfb7582647be47c91bda8db5dd4f62a61294ffdbb8c6f034bac9122e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
6e0cdd554e52f8a0a04832c17ad27ca9

SHA1
a8e8d68d973bac79743a49d03a8d4c802831968e

SHA256
fcbbaa9e5298fa86e70ce0e1322c86b24c723cef84d35e9136f40679352ac372

SHA512
163332c704a854f9a5e9530bbe3ee6e313e08d554e4756e8163f9729abdffca261786ae56863008029836cb15e499f57b6ba81c73b4189ec108aa019bd1ac968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
6f19db4f7cef0a181397f9b5d1edc0ac

SHA1
1317450285181572d5f50f176204733588d24070

SHA256
4d0e6770e29e8d3390e400204842bf47b7b082d3b664780e35bcf988a1207abc

SHA512
648b033967fe8c452980053cf139e1fb973cfa6b3d870beea44d6119cbaa00de87297671d6fc319a09a2bb7960793934fc988afb9f5b4ae6bd09e06015e94acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
db7e9128a60466b93a9b8d664481e792

SHA1
ec9ced778f8f209abb754e74d194e1ef18f1aa1c

SHA256
f477f8df8f462606a78720ad7c85cfc124289bf798786d82d87256166940bbde

SHA512
9b7d7bb1e8cf4cf44c9bba5d72634ca0364514ebd326a35048cd7aec4fb0993f442a0c3a93f2d189d1b77f61d033c905a7cf90070db4411cd2ad9beadf96e864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
154fadf29cc69180e3f2d38fc79abfee

SHA1
363832f7d916c2b983b052bd68fa11ddbf6474b7

SHA256
0473b59090e72ef012108ee9d9a0fa97aa7f91d8ce29214aafa9823c91d127ab

SHA512
30144f26592f422974d989d1e9d0a6186884c78fbc25bfb2e7a8ec988b9f6a5786c0f1283a853fe352f6195eff7a50d410962e849c1f813f70392ed71a320f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
85db6c2a29201ecf9fccca5125162f12

SHA1
01f5c7953d6174f9805a5444464326120a626311

SHA256
f983ea674e40aeb1c06c40daa91fdea7dc37f7ae43112d1c8ca42fcda18729fc

SHA512
26c536abf5efe4999f2c69ad6b1369be998dabf1bfc48446a0057734f2cdb05667f627636d9ca060f36d8637622951de12b2bcc481d02719832ea55c0c8767a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
33a12b2d39cd807a18decf98167c3f46

SHA1
4e986121daf16b12e88e7e48441665973d9393dc

SHA256
ec62343f06f3367eef4ad4d98467ffc76fb9aaefba1ea0c004f7be9c46d06ebd

SHA512
10e6efec9a6277d3369e33de02adc3c44a92b51f042ee3cf3f784eccc71c77bcae130f7623873c503dff59b3bd6fb1faad645f31cb26ef56e83fe0c92147a147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
49d83a02557c3173d57063917a81f53e

SHA1
02c65167a13c9fb269a15c6394b686dc1de5dcaf

SHA256
b9ded3535a0ba69fe7d6c0228726c08ac5de53c38cf9c9145cae9f2aec019d26

SHA512
c150a96cee86278ff0141b43b4b163a4ee72fe32822ae9ad6c2e844e662b97f1607c6fec2321edfd88e112141be7e0b98b3815558a8ca301dac6f1595574b695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d731f.TMP

Filesize
203B

MD5
66975a0411f43ad6bf14e53361df4931

SHA1
7413795671c3e65f0e19027255f0c53bbfd0cc4c

SHA256
4fd6257a7d98f3d6cb9896564705e56d28d6e44ede1ecc360c6a4fbe03e1eae5

SHA512
adb679ade8c8958dfb2ba36247532847d533d21569ce65358f6d4497db2f92eda125501c46d1160bc32070c9a9a1593f272bbd742e4b3fdb05debf442da315c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20f3d6909152dfe0e83c61e4b46e71bd

SHA1
999d2e60759a02117a03d3d39fcf4c4496bb378a

SHA256
a2d749fa6bb3388e8c027b722e338654d2267e6c9c611a1e7af8179cbbac21a0

SHA512
eed5e93c9b15ae8a53d3f9e19433e7c980c5d28fa39df9f1e591487857fd1370e3f2481a76c330fb300a053ea5c2b3559399dbc1dc00ab72f89d9a1d037fc84a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 379672.crdownload

Filesize
1KB

MD5
0b7d74756246c418bad0067d7069886e

SHA1
ddb5f306801f1eeaa76067f1e69c827e483a159b

SHA256
155b8459cc708d22fb7d20ff9b266c2f7826c58e4e93f882f077cdccaa532eea

SHA512
c1118db1636dcade73a02e5374f292e52617383018ea6f4699441291a9e1f1ed133d59506729a5c53882ab3a26b2519ffd79982d0b16c03e30e680dd212f1807

Download Submit
C:\Users\Admin\Downloads\a.htm:Zone.Identifier

Filesize
498B

MD5
49b9d2b48ac6ff6c0adf0a9729ae62cc

SHA1
8415c1a0604cc260611ffd2a1615eceac01f4581

SHA256
146081bf23c54c06e2918790ce424ea292dd9563230c82f3cd5d9d7001c88121

SHA512
bc6c3236070f1553c21370e8a271eed8192ba0013367229cc74e5d27886390044fce97b86027573249eb445b648da8af833f0eb7af67e6064878828ff51c92f7

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release.zip:Zone.Identifier

Filesize
582B

MD5
599fc658ffc2b8f2fc1b859dfb93e978

SHA1
b934385430d49a787470dfb6e02555a21fdb5f41

SHA256
9864404d134957e6410caeabf70bec98326eecb47abc98387a808d9295388d68

SHA512
bd7f5fedc0121837d3b6ad84bd00304c19137b525b3d9bc920997f7a0fbfc69bf1566bd491eca959c37a226e27593ea3f3e13ca7997f3f02d10f2b0e7d08e8cb

Download Submit