discordrat | hxxps://gofile[.]io/d/dh1exz

Analysis

max time kernel
145s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-08-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/dh1exz

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3OTA3MDYxMzAzNzY0NTk4OA.GeddYs.Bw7nRimxl9SA9swRqiR0AXit0EHms1ANWdPBTE
server_id
1279070803266371636

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
3548	free-vbucks.exe
3712	free-vbucks.exe
244	free-vbucks.exe
3828	free-vbucks.exe
4032	free-vbucks.exe
5224	free-vbucks.exe
1508	free-vbucks.exe
3540	free-vbucks.exe
2256	free-vbucks.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
27	discord.com
33	discord.com
11	discord.com
30	discord.com
36	discord.com
42	discord.com
45	discord.com
48	discord.com
51	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\free-vbucks.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 241125.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\free-vbucks.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5608	msedge.exe
5608	msedge.exe
2944	msedge.exe
2944	msedge.exe
2640	msedge.exe
2640	msedge.exe
5836	identity_helper.exe
5836	identity_helper.exe
4972	msedge.exe
4972	msedge.exe
6008	msedge.exe
6008	msedge.exe
6008	msedge.exe
6008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	free-vbucks.exe
Token: SeDebugPrivilege	3712	free-vbucks.exe
Token: SeDebugPrivilege	244	free-vbucks.exe
Token: SeDebugPrivilege	3828	free-vbucks.exe
Token: SeDebugPrivilege	4032	free-vbucks.exe
Token: SeDebugPrivilege	5224	free-vbucks.exe
Token: SeDebugPrivilege	1508	free-vbucks.exe
Token: SeDebugPrivilege	3540	free-vbucks.exe
Token: SeDebugPrivilege	2256	free-vbucks.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 5696	2944	msedge.exe	79
PID 2944 wrote to memory of 5696	2944	msedge.exe	79
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5088	2944	msedge.exe	82
PID 2944 wrote to memory of 5608	2944	msedge.exe	83
PID 2944 wrote to memory of 5608	2944	msedge.exe	83
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84
PID 2944 wrote to memory of 3764	2944	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/dh1exz
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda48f3cb8,0x7ffda48f3cc8,0x7ffda48f3cd8
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18375898341781544843,6528930467984892033,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4596 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3524

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Users\Admin\Downloads\free-vbucks.exe
"C:\Users\Admin\Downloads\free-vbucks.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
59f9bd01b952f61471daafb5f4e9c793

SHA1
54d7bd754a83629e723e4bc55f84b31a6e84e5cd

SHA256
7e92b40ca9ca42a5f474ca8b7c2a4e93a3a3f817eb5845a05e706874a880a771

SHA512
60a5992424ffe8a23bcdb13381c13b757850508a9b8a0542934289167e5e3926b1eaffe32a87b83d66e5e9e8d61a324c6f54dfcb7cf42a10483a1bda9188150d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
a0eb2ea9f256535ddde6c960e96f8872

SHA1
e6f13449ffce0834281c80d688c3ee873c86f8b7

SHA256
296abe3c4bb1cd799453d0780b3f995ca271f6e5a10d7531607e2f78acfcf997

SHA512
9333690f5d8c446266bb52bcbaffce2334656a55f8424726944162a0f123808cc2ad185e094b9c32122ef762663366b77128579468c2d4e26d68147b109d75ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38d6897a3fa792185065a73c7d44e2d4

SHA1
006324cced89ba4985e87de6109303bd0baf99bb

SHA256
a2d2ae125c3b43068831a2e3d46bc59cea58cd99c80afa18ae09d6a1a00521be

SHA512
1cf157bd0a1f1c04fc987dd67d87f79fbd66de78ae91c64ec7e7e876a6811adc5ab6a5ed960fe5a8e5244f20b1aa40439349ac7a53fe4dc6580e40d11746fe2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ec7182ad9c11fa91885c1afffd844a4

SHA1
e209e2a8818a505ee212cd9ada3a55d039839ed6

SHA256
9dd7c2905fa496dd7244989c61b310c72d805152cfac6a333c8c2a725be9ca09

SHA512
3fa77b487e54dea19b21a82d9ca063ea7455b46c676bf816db074b59ec4bdea6dd86382e01825d4f80c47790596b6ca75467709c3cc32ffa218203e6ff17f93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ec105d5619311ef88b93f5f23fe2642

SHA1
780fc575483feab55db011e654fad6ebc477e672

SHA256
904e2b1d156a6342c76f464f1707e0f20d24bf7e409804053a7f8706e330199c

SHA512
78362582f836c43c1583b0d809b2fd8dd034882821ee948caaefb69402db8f3bab79335414b04a5cfd3404034cca79a56ff0ee0f0645cf8ee3057b19e9d0f5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec905dfcdd935965779c1e81db236350

SHA1
f01c9f9334a0b9e268b2c0e52ee6455eb487f6e2

SHA256
093ff111b302d2b325fa966ec507d7b9fa287fe35b45ba3b438df17c42ffeb3b

SHA512
20f9cd59c2f7da5e2bb7785f38356f747666cdb6f1600e1dcceab14a42176e46708db033ce20b256161c8da083a71937e177ae23eac232383ed004743e5a30e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
efc929f3d1e8095b148c08a52af440dc

SHA1
b65004e1fbcf140fc8494fc88b79772340ef239e

SHA256
f74b1527e219267b689a805d42d28d1b4ed8d43dc8757003484b1a6c7a673064

SHA512
4cfb39038d5c8696a1c427135376e4da15251475c14833a881cbb7bf5bcdb21dfb4bcef6a128010271ffac72b1d7c7c6d7db20b4e97946a63e240298b5261bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
045c02cb18c60815439bfa6c2c855e93

SHA1
289688cae5bb143eb2b4be02190ddb887130f60b

SHA256
458ad91fb088ec06d629ab1db73e2994109192374a6b8b4cbdfab1851550e169

SHA512
8ce7c892ae3e2b1e0edada8a2b96d6f1e93c73697f2aa1dfae37cda5f6a8c1c9dc47f706f76c44dae398ab0b38d009f85c4845a46a55a962066fc2e104ee22b8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 241125.crdownload

Filesize
78KB

MD5
45a296c3a40a6ed1decc8a7b15ddf12a

SHA1
20c177c6fff8c27c26b02f4417f8ca50e2397970

SHA256
518e0c07ac16d9f4dc42f8d16173b005026b1f2e36d10645d7eae76d2483500f

SHA512
1ad1d0614509feea8fa70dd27881876fa8a362739a6ccb2521723587159e88eb5eb87fb997db5b6e71a5ba970c031efec692204175c6df9a364995462a8a7d71

Download Submit
C:\Users\Admin\Downloads\free-vbucks.exe:Zone.Identifier

Filesize
158B

MD5
652804d6ba7c90e2280bf39fbd26051e

SHA1
d99cdf43de8a048d39d65da477e437f1c2e01cd5

SHA256
6753b0b25afb3a29302077e4abfc4d5b525a708a17ef6528848e43fef85c354c

SHA512
aee47da3625b06b804d6802099c23878bebae5f9b16c1f7c746d3b4807913f2519da0a34496ac7bc9a76ecb64a11dff2ee79a10069d85d3a1d565a7a851a6e09

Download Submit
memory/3548-150-0x000001E9766C0000-0x000001E9766D8000-memory.dmp

Filesize
96KB

Download
memory/3548-151-0x000001E978EE0000-0x000001E9790A2000-memory.dmp

Filesize
1.8MB

Download
memory/3548-152-0x000001E9795E0000-0x000001E979B08000-memory.dmp

Filesize
5.2MB

Download