discordrat | 3454313582db126dabf03c20da5f470aff890a4f08d2e868ac1eb3322e89eee9

Analysis

max time kernel
445s
max time network
453s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-08-2024 18:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

b8b27b9115947173af300193301fa0f7
SHA1

b9386a3be62a26657a16566ab3e40b7c5d227be7
SHA256

3454313582db126dabf03c20da5f470aff890a4f08d2e868ac1eb3322e89eee9
SHA512

b024008cc9b7f89807309a1e03f91e401544b8b32d961d20477b4476568f41b7e2e5499a76ed2ce62966b0f251be7b825486934c6d2369e38a841ad3ea6d7af3
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++PIC:5Zv5PDwbjNrmAE+6IC

Score

10^/10

discordrat modiloader discovery evasion persistence ransomware rat rootkit stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2ODk4MDE0NTUxMTk5MzQ3OQ.GDnAPs.L0_4uSbVCU81mPoUZKhDlrvbtDOlC1t8-vGLd4
server_id
1268956309605060639

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/memory/4976-1340-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Contacts a large (542) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Disables Task Manager via registry modification
evasion

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4880-1337-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4880-1338-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4880-1339-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4880-3079-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe"	Blaster.A.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\U:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
521	drive.google.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Control Panel\Desktop\Wallpaper	000.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaster.A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4340	taskkill.exe
5072	taskkill.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-242286936-336880687-2152680090-1000\{F1FF390D-152C-4E0A-9FCC-1F2A04196E2E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-242286936-336880687-2152680090-1000\{D4BC23E0-1158-4CA0-81C0-D73962BE97C2}	000.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\the.most.dangerous.batch.file-main.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3096	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
3704	msedge.exe
3704	msedge.exe
1164	identity_helper.exe
1164	identity_helper.exe
3856	msedge.exe
3856	msedge.exe
1680	msedge.exe
1680	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4024	msedge.exe
4024	msedge.exe
4632	msedge.exe
4632	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	Client-built.exe
Token: SeDebugPrivilege	4340	taskkill.exe
Token: SeShutdownPrivilege	2484	000.exe
Token: SeCreatePagefilePrivilege	2484	000.exe
Token: SeShutdownPrivilege	2484	000.exe
Token: SeCreatePagefilePrivilege	2484	000.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeShutdownPrivilege	2484	000.exe
Token: SeCreatePagefilePrivilege	2484	000.exe
Token: SeIncreaseQuotaPrivilege	5296	WMIC.exe
Token: SeSecurityPrivilege	5296	WMIC.exe
Token: SeTakeOwnershipPrivilege	5296	WMIC.exe
Token: SeLoadDriverPrivilege	5296	WMIC.exe
Token: SeSystemProfilePrivilege	5296	WMIC.exe
Token: SeSystemtimePrivilege	5296	WMIC.exe
Token: SeProfSingleProcessPrivilege	5296	WMIC.exe
Token: SeIncBasePriorityPrivilege	5296	WMIC.exe
Token: SeCreatePagefilePrivilege	5296	WMIC.exe
Token: SeBackupPrivilege	5296	WMIC.exe
Token: SeRestorePrivilege	5296	WMIC.exe
Token: SeShutdownPrivilege	5296	WMIC.exe
Token: SeDebugPrivilege	5296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5296	WMIC.exe
Token: SeRemoteShutdownPrivilege	5296	WMIC.exe
Token: SeUndockPrivilege	5296	WMIC.exe
Token: SeManageVolumePrivilege	5296	WMIC.exe
Token: 33	5296	WMIC.exe
Token: 34	5296	WMIC.exe
Token: 35	5296	WMIC.exe
Token: 36	5296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5296	WMIC.exe
Token: SeSecurityPrivilege	5296	WMIC.exe
Token: SeTakeOwnershipPrivilege	5296	WMIC.exe
Token: SeLoadDriverPrivilege	5296	WMIC.exe
Token: SeSystemProfilePrivilege	5296	WMIC.exe
Token: SeSystemtimePrivilege	5296	WMIC.exe
Token: SeProfSingleProcessPrivilege	5296	WMIC.exe
Token: SeIncBasePriorityPrivilege	5296	WMIC.exe
Token: SeCreatePagefilePrivilege	5296	WMIC.exe
Token: SeBackupPrivilege	5296	WMIC.exe
Token: SeRestorePrivilege	5296	WMIC.exe
Token: SeShutdownPrivilege	5296	WMIC.exe
Token: SeDebugPrivilege	5296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5296	WMIC.exe
Token: SeRemoteShutdownPrivilege	5296	WMIC.exe
Token: SeUndockPrivilege	5296	WMIC.exe
Token: SeManageVolumePrivilege	5296	WMIC.exe
Token: 33	5296	WMIC.exe
Token: 34	5296	WMIC.exe
Token: 35	5296	WMIC.exe
Token: 36	5296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5440	WMIC.exe
Token: SeSecurityPrivilege	5440	WMIC.exe
Token: SeTakeOwnershipPrivilege	5440	WMIC.exe
Token: SeLoadDriverPrivilege	5440	WMIC.exe
Token: SeSystemProfilePrivilege	5440	WMIC.exe
Token: SeSystemtimePrivilege	5440	WMIC.exe
Token: SeProfSingleProcessPrivilege	5440	WMIC.exe
Token: SeIncBasePriorityPrivilege	5440	WMIC.exe
Token: SeCreatePagefilePrivilege	5440	WMIC.exe
Token: SeBackupPrivilege	5440	WMIC.exe
Token: SeRestorePrivilege	5440	WMIC.exe
Token: SeShutdownPrivilege	5440	WMIC.exe
Token: SeDebugPrivilege	5440	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4632	msedge.exe
2484	000.exe
2484	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 1520	3704	msedge.exe	84
PID 3704 wrote to memory of 1520	3704	msedge.exe	84
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 2436	3704	msedge.exe	85
PID 3704 wrote to memory of 1224	3704	msedge.exe	86
PID 3704 wrote to memory of 1224	3704	msedge.exe	86
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87
PID 3704 wrote to memory of 4652	3704	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef2903cb8,0x7ffef2903cc8,0x7ffef2903cd8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,11285652306488711994,8049851201407932654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\the.most.dangerous.batch.file-main\the.most.dangerous.batch.file-main\logofuckit.bat" "
1⤵
PID:4340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\the.most.dangerous.batch.file-main\the.most.dangerous.batch.file-main\logofuckit.bat"
1⤵
PID:1616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\the.most.dangerous.batch.file-main\the.most.dangerous.batch.file-main\nothing.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2216

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.A.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaster.A.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4880

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4976
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3904
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:3264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004C8
1⤵
PID:5876

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5296
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5440
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:5588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c9855 /state1:0x41c64e6d
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
23KB

MD5
ce3cc830b1e038999dd41be7ae9e1718

SHA1
ebed20a6d1e3b98b2293a90880d6e9bd5a503bf3

SHA256
5bfb0304c3a1d1128796a32c3da1b1d773dbdebecd7947364553b201300b2445

SHA512
74e649b2ebc3c5443feaa548e5f55e403bf99f27a8c5709e0247e89090c53b0d084903d57ac2e69135325ba7d97f9b7d8284df49fb42b28d53dd51b41bd21578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
41KB

MD5
5b6eb9202abfde97e3d691a835509902

SHA1
515f8ea6e88d5bde68808f1d14e3571bc04d94e7

SHA256
f9ab282aea02569f9e73aba576cd517a7fefba7d90b935fc571397e710b15dab

SHA512
309f32e918aefdb51c218d57ac37714d90653dbcc4317597c1e3df67a8375b5cd7aed9dec97eeae248b29c03bb46318216a3384971357bfb4dfbc294e7f5f9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
1.2MB

MD5
74c0a9aceda2547c4b5554c0425b17ba

SHA1
d5d2355e5919dcf704192787f4b2fbb63b649b0f

SHA256
3b9e3adb939801b9ada1ce67afc7decef4538c016c78113697b89a35a295dd8d

SHA512
e178dce4a59cf184bcca3523e687092f4edc2a3c7af4eddf1ca1965ca06347eadf8901f851260264c14fa052331b2d1aeef2a6b9048b87758617285c9650b479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7235f55c127446826c1a2b90a2d486c6

SHA1
fb8b7361c54b11a84ad33506afea0feb5c910217

SHA256
227184272471e125a03d9c2314b42a0dae0706434d4bef4a61121c9c92edb93c

SHA512
4d542fa11d366148d222d7c99cfca607e43dd3db9f2d9467c662b32a1847c967e2addf498be7cbdc447b05e67cd7abf449d375be20f95726cd9cf2ab8d028ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
be5126d08c021c8a25375a059e7ddfa0

SHA1
9eeb13e2d619afbf86ba5a336c1d0bab4ad794c1

SHA256
24da35542fbd9e452b2e9903f5dcff77ee66930b956f52b24715effd634c9577

SHA512
fb57f4c00a689c2ff77964088f0bcc745322bd0facf8acd7f71481202528d86ce01361013fcacda8160ea04136652c21315afa168eb72c427188e36615484525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
74869a236c6d4d962545584977f6cc2d

SHA1
83f1fae7b866ae0badcdb5a1cbb55b0ba9278da9

SHA256
4f0b4b3823c8e18d28b9d9aaae25c43c622413226d98cc13c94377c36f1e546e

SHA512
4afa7f0a0ee43cbc4de6109b9801472575b2f0af9d3f49dd5a2d822a91485e03b9df1cfb9d1dee7c85c88bab91758911b591ef01a1cd312b8cfc3150fdd7187a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a962360f402070f2869d0175f5236f56

SHA1
530bf2f185011af93c78cd03c5d3667f0ac5d6d6

SHA256
19059b7f15b7a94d16cf405c3e9773e72598ea8733965073eaf471a37beaf759

SHA512
367fd7604ce4ca1dfdcdbaaa203300406cc43990b5c9ab5f65e797efed8633ad7bff10c74cec02873b7d07602217152720f57120ab44e7f6b583160e0a54c40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
873B

MD5
d22c4b696e22ca1e173d14f46d49a734

SHA1
0ef9286de680043747107459c714a4ba58bc9139

SHA256
e28a09c67a6303b69194111557b33bfce442fe550c3baf44ec33919be659dfe4

SHA512
f909cf762755510468c15198a46c5f12db8479227814ae38d10baa5642dfce8382aca1da02be9af2b5fe59b164bbdd9645a802970edcefaf38753d2eb109800a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
566B

MD5
63a0493ef97fec678a11396e6f5789aa

SHA1
3fbf72bb4b22859de4343242adb5fac49b769da2

SHA256
a32591f33d545dc6da440723cb00ac1ed8184c59b9aff9db1b39f342b57a2c24

SHA512
65fa6293609efac670fd59c39d0e6444747c87e33f60d90ac27c93a9867524d680aae905cf5cb570dcc27977df1841380417c23a105a14c0ac8d93ab42e99f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
643B

MD5
cf5464443790a0f0cd45ecb3b476f8d0

SHA1
addedcc3ba62e0fe12824df0c39f7577c51ee4f6

SHA256
bd26f8c1a9b2680d2f0f8384b7cb2b9f8695827b8210a2d47ae1738049babcf9

SHA512
dc0ad0b204d7551e5ce091812d423f94388d49c951ee51e811b64cc7a208c1fd59cad1cb81bb858bd4aec4ec0112f495e6eb0bc569b2c2048e435c9c132e161f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
74a1179cf7fc969e4e0812b86a61cddc

SHA1
ce8c4e82f6a7b64d88c40e1687e0f65c0c8066cc

SHA256
f8c44327dc11e30a59248e37a5ae1dd90feff8572b2c23fb5fb3ba928446d9c7

SHA512
e7da8685092561205e68072ce0744fd6b72953e29c1e644a610ab2d0f0ec18f0a5cf469742573463a2b158a8a2a687eab8d7ea06eab695956c54370c26454247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b906b5af360225db3a25cb750234c1a

SHA1
b1b4190dc217a5a9a05f483ffc066bf35ad667e0

SHA256
28980137ac99f37f307c10f6ba13044f5e2be45d68afd10f06dcf2e4cb4cd8a4

SHA512
428088f3c2a8079c1f7acb2d1d67dcbe7012d87fcde10a4b6576f20627b4b18d3e7a36ef87128ed57b0301dc9640888cc4bd275dded8237decf157059979aab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
133948cb922bc04e05942159082cea2d

SHA1
f5da3926e3b89b4f70294ffef1110608946deb1f

SHA256
0a1450602b8eee9ee0b49ce2c69628728fad5a2d044cac53fb330cf4587dea1b

SHA512
900389057588fab05730f4d766ee79538b0b31ac346291d708a8f76d0a4acb7b57a891b4d49ae40c4d90b16e55d98299af84df413d7fbb7eb769b27e2015eef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
79d14646fb35243fac1a30aea720f230

SHA1
aca08fa1515fb867187f12871feeedc24ad677e5

SHA256
26fb12427e59185612b280d6a69f12d0980a3a2b21a70aa03d5aeb3dfbc25418

SHA512
de3af923a24b278c07a8afd6a8db0f1c7b9628a1f84c0c27668f1fd7c36fad89ed1ba0723a194e02da31a836a87746e7357614f715c04a642f91dc60f1c68313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
499475cdcf3de08ebe1191c2361d7943

SHA1
fc1f4618cf57177af1c81102f704cbc9ada1398e

SHA256
032939e29bec2f7e35bc369ea9232d9515a815aeaf6c9d94a4c3ad5dad835b82

SHA512
08acc129d4fe58acc98fb9bd8fdaff8132d4d24d9569fb12dd2213a6d9bd643d795ff8baca2beecb35dd3cf41de3ad076820f0d88a938a64101cce784ae9e3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6e4f9aa77b0b729ee389cec76aef5881

SHA1
85ca772ba5f7372ced75b4f70c4b3ab790264532

SHA256
1cc7cfed5672ae800de06d4e852ccc1e5ffcdb2320b19be187aa22f62d3c0107

SHA512
e78c1046ea13e71f566e9f82694bc54900fc17af267c3a112863bbac5bdeaf1d0f27d8fff33f3f2747354e8cf2a07625ea425a9a49d539cf79e770882f6e1275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
815bb45f2ab5695578569227b50108d4

SHA1
36069067fd922e1bee4043f531947793a0a6b1b9

SHA256
8f9cbae14f85c7fc037a7c1324fa03bbba6550de20859f3010ddeabbeda065f5

SHA512
b891202691eddbfff182bf09a9a5b8c99bcdfb466072b52ec6f6533ac889cb111f209a33fd23436d3fec7778ef958083c707ad8916a93949d760f4afb8cf6049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0447c73e0fada85d289b7cc9a25ea383

SHA1
35d1486c7ca4108503b89f155a73533164da7c83

SHA256
ba14c1e45e6c4a5e1e7da6cd2274a7fa0f744fec19c4ef0f6ab7b65ab03382a3

SHA512
a1e45fde347e94f6d8fa1ae374c44770e853d657bbe9605a740d6708ad0165db8e79bfea66fe820973f0fc963e041d1a3e9446253f663fd4f06de3da27253663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85e22400d1f848e6a6b1d7b30cadae3f

SHA1
58e3a91927d29d078d30a9788583f7c5f008bea8

SHA256
d2bdec5d1e2e949902da6a9427610428cef641b5935f10180869a11671af44eb

SHA512
142c443f7fc25206a5689bab038dd1f8680bfa30e33325c111deb6f5b9ec300110fc516f464247172d7cc46432df0bc9271f88fc0c94c2f389a80c9d61b1089b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
711601ae3205de379527e2030cf747dd

SHA1
4a3eb9cd7c0b51f4e408b1d96cbe6331be8c7935

SHA256
05d64d1e77cae26e9b7f910e06fe422be71786de2efa90017a0654ab85f303e9

SHA512
181016c6d03a65a38afe1b11b7c52e8baf9f2fa9e17f62da77ca4aa09b11415d57f73f47a4166d8186e113a434555ffe8ba9cdd56d4b77455a48fdb63f8fd077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
72070bb85e43efed48d221a57cdba445

SHA1
0ae21c53d1d936b80e6eb5a89834a87b4f4a25ab

SHA256
90e68ab27cf2b909ff449a82f24fe6900308134185801169e4d605b84118c5b4

SHA512
8ad7a0a6affc4605ce0402ed9ff2a2d00d4865156a2f056793ec73a73599b8cde0f8f4868abe521ef1d65a8c7b6662b0fc5f56edef9e3766602a7f1696c529b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ebb6f19ec296b0a49f78f5758e3f24e7

SHA1
2c52fc6a850cf5b0772a9c8f9c86bcf647d79ed6

SHA256
d3aef339008bd6d83c8f095d9e86035600425de01feac597884968bda8b7e8d3

SHA512
24678b14002ecd371d53a5c1ecbcddcce6075f0e8b0f1d0451e2c11173fc97b8123cdd098446007d347c948b24530d71620cd3e8042d2949340930b23c4bea5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0db048341735aedf08b1bbc805c16af5

SHA1
44aa2bd23bb1080b8352e85bb2c43c2f8b5e23c9

SHA256
1f8db256e5101f45fae17a4cd97ed01047b169a50025be22350791c5cd287e6c

SHA512
6796658e8d5680b3eca944a3c8bba8a93bfd8cc98edc194ed867c11ce2e2b4385b7392f844f0050bb89a16783e81143d9784f6032eac23d9e5cc0cdd3331117d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7fef5cb3cdbcb2d9bb17c60eecfaee02

SHA1
089569d13d498f2649185a9b06c4b2cb68fbc0fa

SHA256
e472f8314c8f2f958740004d862e04c1fa24010dd6c1c7205673edf1dcc095a0

SHA512
20a7b8d22ac32cc6312b08457070cb764d3aa884e39f5a1f2bd23c6205170f17940e93d82b61e447dbe6c1e54a827f5d738a7d7037dead8d249a81bc253e2b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c4a90cebbbc356e996ca3a4a694de40

SHA1
6d319c84ac56d84278e6133826cc75599a68dfd5

SHA256
e44f97dfdfc6a69b04a7b14d980ac13e91cda4755950e1f0b9c3b425bf8b7526

SHA512
ff9e08b8a2b6002049001dd3572cf96ab9ca7a2a48a35330cc426cdbc98ffd14b2a14db08ff84e21e9033338f37b7a7eb7acacec8af58678571aa3cacb00ebe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592178.TMP

Filesize
1KB

MD5
94b64fc7f7297fe2e6f4ea2eb0a1fd58

SHA1
6d154fdbfa9bde8fb0d283aa37a66896eb5079b5

SHA256
2860e94d7a6c033575017993cd2f328b7247b26afe4b67ca747f695e2a0d3033

SHA512
70b9e58513d5e8a83d2952733735e38ecc55542ee9041c7ec3405db65f5eddb11d1492ca350280ddf88511aed568ba6412435679fbb9264e6ee38af7664a4541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
80a5d6cdb753f1a9d44340341f8a4b49

SHA1
05053c53e2ea42b72ab5fe753801fd3d4049458c

SHA256
38e460ae1af3d60b0e3bedb3cb528422d5b15b4d512fac044b8d796084a0d1e4

SHA512
6e07756d5eba506d59a86dd051764b60595b436fc49721195cfe58b8b641c14f8a3db53fdc5e6ebdb99f26df8d37fbb0ddbf2e0711838bf9d463f1a2c91b3b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b146c1f78790a55eb3a513f95dfa99b

SHA1
e50216fe9dfcfe78a0756461ab04a0151f807c84

SHA256
d21b0d65ac8245c5ae647dd4b3bfd6320f0fe482c95fcbe846df8bb754568048

SHA512
21748a8fbf3c98db012a2417dfc4ab9b2c28aef71c8ae5587efdc79f1c5f7889973fc97bb4414ca6a9193e95ee5d8b20b4c813eb123a8aeadea85eaf0f92b5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26eae7db5249743b6fbe146f167bd9aa

SHA1
0276be3097882583846a56a2742d9c136dfb9edb

SHA256
80391f4282ec3bdd08cbe264f1efd428375ae0d616f42cf77c8fe00a4072590a

SHA512
a3f1e30e7d1109ed649a0af738b4cac605e4da9f93d6580bc2ab14a3ccd5f15ee63950d0c52ff729bda4c3a6be743af622726bbf89254c9317f66d70b40f3819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
21ee5b29a770cb08c33264ff9dec3e5c

SHA1
f2c23ff87355df46d4985578a36988db4369c10a

SHA256
8fcf5bf6979ed234066f0406e9395acfdd0c33e2ed84032a698636b64a6df37d

SHA512
57a885e98ab213396175ca8e2243d016471248b1c137f87156574ceb0f2652c79406bcd40a71cac52e284a7fe142bb9b6f5db3491e9b0b69039ca1a2450d4759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
8a410ca32cfa68b6af87dd2a15895e22

SHA1
78218033b8278df0e23513baaffdfc346efaf5cb

SHA256
078710f879b2d154a2ca8d9983b4ba9a90fc0be52a52c98658ad9c2c5fa5592c

SHA512
de46b955a9e9ca25d045efae4f34367a5b5832d36e49291d0c5e237381af12045a479b0d53777ab135db15b7af09f24152d48210ba24e4ffe0bc815b9936972e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\the.most.dangerous.batch.file-main.zip:Zone.Identifier

Filesize
189B

MD5
8439f97250438143b3dd26ad58c69ca8

SHA1
75177a242e663748190bd760bf73798af15e262d

SHA256
6c3c2af6b42f038e08a12d4eed5d380dea9e2050a0e64cf37115ca1127a5160c

SHA512
1a750bbf51a75bb6782580058a64b2cc337ea16350a83d3650658f0de6e0b353855764c168fb14e70959fc0565f0d34163c872e85d0f2d4de167d2d22d3b54f4

Download Submit
memory/1532-69-0x00007FFEF75F0000-0x00007FFEF80B2000-memory.dmp

Filesize
10.8MB

Download
memory/1532-3098-0x00007FFEF75F0000-0x00007FFEF80B2000-memory.dmp

Filesize
10.8MB

Download
memory/1532-0-0x0000013BFF190000-0x0000013BFF1A8000-memory.dmp

Filesize
96KB

Download
memory/1532-2-0x0000013BFF740000-0x0000013BFF902000-memory.dmp

Filesize
1.8MB

Download
memory/1532-3-0x00007FFEF75F0000-0x00007FFEF80B2000-memory.dmp

Filesize
10.8MB

Download
memory/1532-4-0x0000013B9B2E0000-0x0000013B9B808000-memory.dmp

Filesize
5.2MB

Download
memory/1532-1-0x00007FFEF75F3000-0x00007FFEF75F5000-memory.dmp

Filesize
8KB

Download
memory/2484-2210-0x000000000C2A0000-0x000000000C2AE000-memory.dmp

Filesize
56KB

Download
memory/2484-2191-0x00000000067F0000-0x0000000006D96000-memory.dmp

Filesize
5.6MB

Download
memory/2484-2190-0x0000000000FB0000-0x000000000165E000-memory.dmp

Filesize
6.7MB

Download
memory/2484-2209-0x000000000C2E0000-0x000000000C318000-memory.dmp

Filesize
224KB

Download
memory/3904-1342-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3904-1341-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4880-1339-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4880-1338-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4880-3079-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4880-1337-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4976-1340-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads