purelogstealer | hxxps://github[.]com/LJ9859/Malware-Database/raw/main/Trojans/UpdateDiscordSetup[.]zip

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/LJ9859/Malware-Database/raw/main/Trojans/UpdateDiscordSetup.zip

Score

10^/10

purelogstealer discovery persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

UpdateDiscordSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Discords\\Updates.exe\","	UpdateDiscordSetup.exe

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4200-84-0x00000191FEC70000-0x00000191FED2E000-memory.dmp	family_purelog_stealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UpdateDiscordSetup.exeUpdateDiscordSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	UpdateDiscordSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	UpdateDiscordSetup.exe

Executes dropped EXE 2 IoCs

Processes:

UpdateDiscordSetup.exeUpdateDiscordSetup.exe

pid process

4200 UpdateDiscordSetup.exe
3312 UpdateDiscordSetup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 raw.githubusercontent.com
13 raw.githubusercontent.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

UpdateDiscordSetup.exe

description pid process target process

PID 4200 set thread context of 3312 4200 UpdateDiscordSetup.exe UpdateDiscordSetup.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4200	UpdateDiscordSetup.exe
3312	UpdateDiscordSetup.exe

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

description	pid	process	target process
PID 4200 set thread context of 3312	4200	UpdateDiscordSetup.exe	UpdateDiscordSetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exeUpdateDiscordSetup.exepowershell.exe

pid	process
5048	msedge.exe
5048	msedge.exe
4336	msedge.exe
4336	msedge.exe
376	identity_helper.exe
376	identity_helper.exe
2464	msedge.exe
2464	msedge.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
4200	UpdateDiscordSetup.exe
4200	UpdateDiscordSetup.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4336 msedge.exe
4336 msedge.exe
4336 msedge.exe
4336 msedge.exe
4336 msedge.exe
4336 msedge.exe
4336 msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zG.exeUpdateDiscordSetup.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4696	7zG.exe
Token: 35	4696	7zG.exe
Token: SeSecurityPrivilege	4696	7zG.exe
Token: SeSecurityPrivilege	4696	7zG.exe
Token: SeDebugPrivilege	4200	UpdateDiscordSetup.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

msedge.exe7zG.exe

pid	process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4696	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4336 wrote to memory of 3480	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 3480	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5040	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5048	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5048	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe
PID 4336 wrote to memory of 5036	4336	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LJ9859/Malware-Database/raw/main/Trojans/UpdateDiscordSetup.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7fffbc5046f8,0x7fffbc504708,0x7fffbc504718
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5686567041585787338,15255456588426652029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2868

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UpdateDiscordSetup\" -spe -an -ai#7zMap13083:98:7zEvent20049
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4696

C:\Users\Admin\Downloads\UpdateDiscordSetup\UpdateDiscordSetup.exe
"C:\Users\Admin\Downloads\UpdateDiscordSetup\UpdateDiscordSetup.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABEAGkAcwBjAG8AcgBkAHMAXABVAHAAZABhAHQAZQBzAC4AZQB4AGUAJwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Users\Admin\Downloads\UpdateDiscordSetup\UpdateDiscordSetup.exe
  C:\Users\Admin\Downloads\UpdateDiscordSetup\UpdateDiscordSetup.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UpdateDiscordSetup.exe.log

Filesize
621B

MD5
8ac365dc282788c15f8acf7d54b6f633

SHA1
06ba77cb09a2c33bf03f6506f47fe7fbb396ae1a

SHA256
2c09c3a4a8926cac0a5abb3cd34c92c78ec66d87e0e225a04f26e02d6630bdeb

SHA512
73a80236ab1b2fd69384ea047667d784e0b4ce4064a57ee6c6e23ee61e58fad37346c42792cf4d9cbcfe52e3f7c72ef5eada6fa025a262adf57a4b80123e4a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
ed3bf773742d0cddded9ed92e6cdcac0

SHA1
d16fc997449813eb18f011d4582f9c7fff319ec4

SHA256
e11f55eac4774d485f8f92d8f4646b795084afa8f4d6c19cc69692083e90d8b2

SHA512
8ab57e238fbb39566857f9690f25fd1ef0568563ab46fa2537d77a64c1abccefd37bf2f3ad11be154fc28fe570eb159baee05f4b19b672720b451e5b7ffeae04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6628a5b705027ea30fc411c2a4b8e24a

SHA1
188f3da217b2a48cb4a801504101eeccdf685c76

SHA256
80d7c34ced1468350fd8ea78cce7939e1be47b9cac50d135f50f5baccd1343d3

SHA512
dee7096a649a3e15c33b791d5a4a0e2e05c5c25d1172495cf8dd8007e9f1d7ef060c6b4529412dc54690e3453582bb6fe2a527acae234685ee3ad94457767f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d049f647ea67a7a984d21af7e69a15f

SHA1
99ae8ba14afe1f428bdb42b66c596ba347c2ec42

SHA256
a421d2c3a5b664ae7c4ef958dd25e885d3ddbc08eed2916197a6f4ed51fbac26

SHA512
f39f60c27ec82933388832c00437eacff609ef34baec95e9d87e9212fceb2ddde9799f27889082e71210a6802c71c24fbeb05a1829a2223b6cadd6323bc5162e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
319dd903c3ff370775b05fc7b2129961

SHA1
b351ec4bcf3370b8bd1e2b56b24b7477e9e4805a

SHA256
324517d6f14f963d027f57e1d8baca90f098d8bb4efb5ef094d55672f21b74fd

SHA512
4e94eff13bc0dec105e4be4e55e35c2963551a7d95e4d21adcb2c6cbdef9afd0c18e112bca39e5a4f2f65fbf3ef8621abba751123caab1e730e356d5208b3928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\de5ddc6f-0187-43d3-946b-554bdd790f9d.tmp

Filesize
10KB

MD5
bbea03b4f65baf4a6771499299106a59

SHA1
9ea1125ed6ffbfb694d50574e459839cede7c2d1

SHA256
df5f0f5d295d1a60d573259bbd12b1f249f7f0e5d8f96ab9476e5b964f485c09

SHA512
1390f849feed3488838f733e38ed2d156575b7004a8c357980bc0fcceb4bd799a4dba822e77183d99a78c8290e5f617d29d92fa6a3fc9c935a5b73168f1c086f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3fyjwv2.2xw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 828174.crdownload

Filesize
692KB

MD5
031a2d123cfcc5e098edce4e62915954

SHA1
fb1baa9b4ca2432516f479ec37ddb5c7e011bbed

SHA256
aefb70f87dfeef41fed9232241cf67e10b51eba5cfd8b80cfa55b75e56c4630a

SHA512
b702f82044ff83511a3813d34fff78750be4fdbdf2691287e0dfed154c3b6eaeb4703b42884ec775bb9ab42d4dfcb744657f2feee0ce3540fe77771d45aec933

Download Submit
C:\Users\Admin\Downloads\UpdateDiscordSetup\UpdateDiscordSetup.exe

Filesize
1.0MB

MD5
763ca81b3a5386bcc3c92660fe63cd56

SHA1
30f4923fd4d09cb143ab532c062d69558e314457

SHA256
c15c8d28afe8b2ab0b17aac8648ff67882b2a472358b09d3da93cb781ae0f4ed

SHA512
c299b20eec4c0c75acd770ae6ba3d682b7414f5139e4dfad356590caa250c2a0a6031d7a24713779aa6cb852f5f3b1f42b48c10ca6785e78f91ac13263aac9bd

Download Submit
\??\pipe\LOCAL\crashpad_4336_RQDAUYCLBSJKGQKQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2648-129-0x000001E707150000-0x000001E707172000-memory.dmp

Filesize
136KB

Download
memory/3312-141-0x0000000140000000-0x0000000140074000-memory.dmp

Filesize
464KB

Download
memory/4200-86-0x00000191E4A90000-0x00000191E4ADC000-memory.dmp

Filesize
304KB

Download
memory/4200-85-0x00000191E64F0000-0x00000191E658A000-memory.dmp

Filesize
616KB

Download
memory/4200-84-0x00000191FEC70000-0x00000191FED2E000-memory.dmp

Filesize
760KB

Download
memory/4200-81-0x00000191E45F0000-0x00000191E46F6000-memory.dmp

Filesize
1.0MB

Download