discordrat | hxxps://gofile[.]io/d/dh1exz

Analysis

max time kernel
70s
max time network
89s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-08-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/dh1exz

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3OTA3MDYxMzAzNzY0NTk4OA.GeddYs.Bw7nRimxl9SA9swRqiR0AXit0EHms1ANWdPBTE
server_id
1279070803266371636

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
4760	free-vbucks.exe
4936	free-vbucks.exe
3472	free-vbucks.exe
2660	free-vbucks.exe
3212	free-vbucks.exe
4860	free-vbucks.exe
4188	free-vbucks.exe
5140	free-vbucks.exe
5268	free-vbucks.exe
5428	free-vbucks.exe
5648	free-vbucks.exe
5836	free-vbucks.exe
5988	free-vbucks.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
1	discord.com
47	discord.com
56	discord.com
59	discord.com
66	discord.com
36	discord.com
40	discord.com
43	discord.com
52	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\free-vbucks.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 110457.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 166439.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\free-vbucks.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2464	msedge.exe
2464	msedge.exe
1996	msedge.exe
1996	msedge.exe
2252	identity_helper.exe
2252	identity_helper.exe
2276	msedge.exe
2276	msedge.exe
2780	msedge.exe
2780	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	free-vbucks.exe
Token: SeDebugPrivilege	4936	free-vbucks.exe
Token: SeDebugPrivilege	3472	free-vbucks.exe
Token: SeDebugPrivilege	2660	free-vbucks.exe
Token: SeDebugPrivilege	3212	free-vbucks.exe
Token: SeDebugPrivilege	4860	free-vbucks.exe
Token: SeDebugPrivilege	4188	free-vbucks.exe
Token: SeDebugPrivilege	5140	free-vbucks.exe
Token: SeDebugPrivilege	5268	free-vbucks.exe
Token: SeDebugPrivilege	5428	free-vbucks.exe
Token: SeDebugPrivilege	5648	free-vbucks.exe
Token: SeDebugPrivilege	5836	free-vbucks.exe
Token: SeDebugPrivilege	5988	free-vbucks.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4688	1996	msedge.exe	81
PID 1996 wrote to memory of 4688	1996	msedge.exe	81
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 1944	1996	msedge.exe	82
PID 1996 wrote to memory of 2464	1996	msedge.exe	83
PID 1996 wrote to memory of 2464	1996	msedge.exe	83
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84
PID 1996 wrote to memory of 3480	1996	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/dh1exz
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc8bfd3cb8,0x7ffc8bfd3cc8,0x7ffc8bfd3cd8
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3861035629384720183,12340999970052371472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3116

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
288B

MD5
93b2be9109d90f0c5c9f5f9d9f54051c

SHA1
1193fcc69be3b5a5c216e78eb3666c7dc28557aa

SHA256
bcd364680ef79bd96c742e491fa0916fb167b07317c183516bbe3ff223517162

SHA512
f5f5da2c479467b9e47c7d47b7cb7b71acfea9246f236f527a39e521a02a01698e22597eb113794202d4636063a6310c11bba406d3aba9eeb048feacb523f7a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
a0eb2ea9f256535ddde6c960e96f8872

SHA1
e6f13449ffce0834281c80d688c3ee873c86f8b7

SHA256
296abe3c4bb1cd799453d0780b3f995ca271f6e5a10d7531607e2f78acfcf997

SHA512
9333690f5d8c446266bb52bcbaffce2334656a55f8424726944162a0f123808cc2ad185e094b9c32122ef762663366b77128579468c2d4e26d68147b109d75ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a3b7af4858ade8fdf4958a9f1d26fc7d

SHA1
874560119d146be20a383478b4b6b1c75de238a8

SHA256
1f6787d58527b607c22b9758c2d4dde8c4a499f80df2ee5072c18778ab05aba5

SHA512
14959cbaaa91e68565ebed2992327f316ff7cf389008f52f6739c0d831519d7a5cb185802b6cab15c17f6879dde363dc80e4f5d7aa77fccb5765a9d8d08ec745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0722f64e9dd631fafaa3395e6ae94a09

SHA1
afd7c02dd8fffb6ee3f261ae3c2a04fdf813534d

SHA256
d75749cddfab33dab255f27bf032ab3bce32cd58bb9e64c45ed8a655a092f472

SHA512
43a65884ec753b0e639b146a56875b7389304611bb95b9cf147ccd9b54c9511e72af3f76aaf3abfc213ed06f00bde083b3be2d3db0ff46cc2ea4668cb7b2967d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5cfd40c1427f4a587e4f3979a901a692

SHA1
becf48f07babd5148d42e77071d59a2cab4dffcc

SHA256
40e2e7865ab14529e8a1e2735cd45dadc363eff35f9aa6cf0ae5243f02e7d860

SHA512
dc9e7bd638b8711c47e515e55dbf643613c439dd034fed6a17f823bf1689d24d84783e1e8c22d84bdc04a9ee8c3a3d85fedfba5263f8dd8ae0bf50e50c4ca6f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc2a35cda881904ddd85372b24a48975

SHA1
7625ce2d144e8b989c4eaf8b5807ff8b07cb7913

SHA256
2ec266f943105512cb856b88c1da369c2d27aba5d8d21998df3268d4e2832ac9

SHA512
76ba72ae15d2a6eb1ba3d43bac3b63055ec0850fbc90fb3a7c8bdc56d6289943b50e1babb042651b345d4a40c6b39675caebd685f4f96f6116878931778af5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0659f0a712d5e0a234c8c856ff8891c5

SHA1
af3c502b908b52e46a50058d5268916ccc03e257

SHA256
75c772144e3f2cb30282cd7cec1de2337f9b53eb52962253b4b168b0e3111a5b

SHA512
5920bf235afda596a65a7a2bb2c7091ba8d097c368dc00876a01de14bf80dacc556c0c1e93e75bcdf2b18c35b827384dd1ac40adc24ccc7d78a5fa094a6410f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 110457.crdownload

Filesize
78KB

MD5
45a296c3a40a6ed1decc8a7b15ddf12a

SHA1
20c177c6fff8c27c26b02f4417f8ca50e2397970

SHA256
518e0c07ac16d9f4dc42f8d16173b005026b1f2e36d10645d7eae76d2483500f

SHA512
1ad1d0614509feea8fa70dd27881876fa8a362739a6ccb2521723587159e88eb5eb87fb997db5b6e71a5ba970c031efec692204175c6df9a364995462a8a7d71

Download Submit
C:\Users\Admin\Downloads\free-vbucks.exe:Zone.Identifier

Filesize
158B

MD5
652804d6ba7c90e2280bf39fbd26051e

SHA1
d99cdf43de8a048d39d65da477e437f1c2e01cd5

SHA256
6753b0b25afb3a29302077e4abfc4d5b525a708a17ef6528848e43fef85c354c

SHA512
aee47da3625b06b804d6802099c23878bebae5f9b16c1f7c746d3b4807913f2519da0a34496ac7bc9a76ecb64a11dff2ee79a10069d85d3a1d565a7a851a6e09

Download Submit
memory/4760-158-0x0000017FBC790000-0x0000017FBC7A8000-memory.dmp

Filesize
96KB

Download
memory/4760-159-0x0000017FD6E30000-0x0000017FD6FF2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-160-0x0000017FD7680000-0x0000017FD7BA8000-memory.dmp

Filesize
5.2MB

Download