discordrat | hxxps://www[.]mediafire[.]com/file/lwg6n17e2ihznl3/Xapse[.]zip/file

Analysis

max time kernel
88s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 20:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.mediafire.com/file/lwg6n17e2ihznl3/Xapse.zip/file

Score

10^/10

discordrat credential_access discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4MzQ5MjYwNjQzNjcwNDQ3OA.Gcd9wS.ILqVWchScpfnGA8kl3zS2LHB2KoDmKldZhEit4
server_id
1283486716660940800

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Loads dropped DLL 11 IoCs

pid	Process
456	MsiExec.exe
456	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
456	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
319	1860	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
293	pastebin.com
381	discord.com
394	discord.com
396	raw.githubusercontent.com
397	discord.com
294	pastebin.com
321	discord.com
325	discord.com
376	discord.com
378	raw.githubusercontent.com
287	discord.com
288	discord.com
291	discord.com
377	raw.githubusercontent.com
395	discord.com
320	discord.com
375	discord.com
379	discord.com
398	discord.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\promise.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\body.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-publish.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-flush\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-token.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-cache.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\map-workspaces\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\verify.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\glob\common.js	msiexec.exe
File created	C:\Program Files\nodejs\node.exe	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\completion.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\cjs\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\are-we-there-yet\lib\tracker-base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\google\protobuf\timestamp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\ua.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-profile.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-prune.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\lib\internal\streams\stream-browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\index.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\reify.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\unique-filename\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\msvs_test.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\smart-buffer\build\smartbuffer.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\overloaded-parameters.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-license-ids\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\gbk-added.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\remove.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\lib\with-owner-sync.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\HISTORY.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\process\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\node-gyp-bin\node-gyp.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\check-response.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\start.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\typescript\connectExample.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chownr\chownr.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\yarn.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\safe_format.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minimatch\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-is-absolute\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-convert\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\realpath.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\inc.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-table3\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\clone.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-help-search.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\analyzer.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\bin\nopt.js	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI16B2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI259B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI499F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e581316.msi	msiexec.exe
File created	C:\Windows\Installer\e58131a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AB9.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1623.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1682.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI256B.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52E9.tmp	msiexec.exe
File created	C:\Windows\Installer\e581316.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootstrapper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
312	msedge.exe
312	msedge.exe
4256	msedge.exe
4256	msedge.exe
5792	identity_helper.exe
5792	identity_helper.exe
5272	bootstraper.exe
5272	bootstraper.exe
5272	bootstraper.exe
1860	msiexec.exe
1860	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	botstrapper.exe
Token: SeDebugPrivilege	5272	bootstraper.exe
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	1860	msiexec.exe
Token: SeCreateTokenPrivilege	1116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1116	msiexec.exe
Token: SeLockMemoryPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeMachineAccountPrivilege	1116	msiexec.exe
Token: SeTcbPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	1116	msiexec.exe
Token: SeTakeOwnershipPrivilege	1116	msiexec.exe
Token: SeLoadDriverPrivilege	1116	msiexec.exe
Token: SeSystemProfilePrivilege	1116	msiexec.exe
Token: SeSystemtimePrivilege	1116	msiexec.exe
Token: SeProfSingleProcessPrivilege	1116	msiexec.exe
Token: SeIncBasePriorityPrivilege	1116	msiexec.exe
Token: SeCreatePagefilePrivilege	1116	msiexec.exe
Token: SeCreatePermanentPrivilege	1116	msiexec.exe
Token: SeBackupPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	1116	msiexec.exe
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeDebugPrivilege	1116	msiexec.exe
Token: SeAuditPrivilege	1116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1116	msiexec.exe
Token: SeChangeNotifyPrivilege	1116	msiexec.exe
Token: SeRemoteShutdownPrivilege	1116	msiexec.exe
Token: SeUndockPrivilege	1116	msiexec.exe
Token: SeSyncAgentPrivilege	1116	msiexec.exe
Token: SeEnableDelegationPrivilege	1116	msiexec.exe
Token: SeManageVolumePrivilege	1116	msiexec.exe
Token: SeImpersonatePrivilege	1116	msiexec.exe
Token: SeCreateGlobalPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: 33	5956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5956	AUDIODG.EXE
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeSecurityPrivilege	4752	wevtutil.exe
Token: SeBackupPrivilege	4752	wevtutil.exe
Token: SeSecurityPrivilege	2584	wevtutil.exe
Token: SeBackupPrivilege	2584	wevtutil.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 4424	312	msedge.exe	83
PID 312 wrote to memory of 4424	312	msedge.exe	83
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 2540	312	msedge.exe	84
PID 312 wrote to memory of 3524	312	msedge.exe	85
PID 312 wrote to memory of 3524	312	msedge.exe	85
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86
PID 312 wrote to memory of 940	312	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/lwg6n17e2ihznl3/Xapse.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2e9046f8,0x7ffa2e904708,0x7ffa2e904718
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,4547076552886111919,2427454234721842260,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:3308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5884

C:\Users\Admin\Downloads\Xapse\Solara\bootstrapper.exe
"C:\Users\Admin\Downloads\Xapse\Solara\bootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2788
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE77.tmp\EE78.tmp\EE79.bat C:\Users\Admin\Downloads\Xapse\Solara\bootstrapper.exe"
  2⤵
  PID:1516
- - C:\Users\Admin\Downloads\Xapse\Solara\bootstraper.exe
    bootstraper.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5272
  - - C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1116
- - C:\Users\Admin\Downloads\Xapse\Solara\botstrapper.exe
    botstrapper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 63933F3495C2ADE317A12DB3A92310A8
  2⤵
  - Loads dropped DLL
  PID:456
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0A49E1AAB43B39950AA5E8A9E6A79D15
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B3F49B0DFA4CA2647027BF9C968632BA E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1208
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581319.rbs

Filesize
1.0MB

MD5
01a7008f903e0e0d86e0a964c84bd9e4

SHA1
d1960ff0e42dcee31dbcf97c6e33ae6a36ed351f

SHA256
770dd783d903ff62189e2573d626744e13e3dc345327754f8162f2a714de2ddd

SHA512
9af5cb1da9ce0a233548c18c630fa6edfbd387cb46df1e4a137150b6a60328c0f3c3be5ed50c307eb5400d1f6c8271b7cfcadeff025c9d0bf969faf361eca41e

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
276B

MD5
cf60c83f1e92d787a163836191346ffb

SHA1
2d039de03ddc4feb28afe101ccf44c9179c07bf3

SHA256
df559ab7e9b7b5074e06ecdf08fd05da988b5a3d1108af809ba0badd69584124

SHA512
75001c5509666c6960b530c92659589b6baa7f44cad91efec84c86bee7643d20ff57963e5da3f664ef4873a3b7d9d416f78a00f238867e7ca3e9e9d8d5020724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
232KB

MD5
2fea785bc1ffc79c5d51b17b727e6b0c

SHA1
bbddc43b5f88d3c0ae3848af1bceba400bfe2064

SHA256
f59d68f16231ea82c6c55ff63754ef76271b86e3b5f598f8409017014a57dc8a

SHA512
736e1dd3445ef796d773033705b37a18cf37cd7fffa846ba2c28e051d60041eac8426a4aee5c82a7e69ee11716e92c3529220366289534212c4ff55ff2303f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
20KB

MD5
78b73f6aa644f6710b967dfd263d40bd

SHA1
22646bfd44ce99a80fa1ae71407e2fad328beb80

SHA256
397db50d71e076b5e90424581c013707ec0eb99bf7a8032fef7c20ba23a69d6b

SHA512
f9c38091594878a2f98686babdef5aa2a04377a00b1487e52f477d3fc4c61c2eb997aafe3aca68d614f8cdc5641cc93a97a42225cb49674fa0b957e1e69aad93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e1465e66400fc9d9d76107369aec482e

SHA1
f696c7547144c3486c349437b551e0d9ea5cf3a0

SHA256
038304ae4bd2e31bcf55d85d5dacf1714250f611210df99005f9192b81b25f70

SHA512
6cbf09d55fd4245ccfdeaf533354730082f31bb3c8a2d3d21811dec21e6ab27ee6e1eea8844deeb92e5c06f02356b1ecee168a36054e8470141529ccc5410171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6b57ae01376984825af4b381a71362ad

SHA1
c545ef32b3742d3f311a2c40e08558a2656f7126

SHA256
15ba3ee74f1b34fca4e7a5840138af66ac596ac60ac94bb0960403becd054923

SHA512
751d47ad796550737b0eca399bbbc0ac7750538a7f053c6f4b5c752ad608db011d01ba9ef0f1bd2a27f93a682c4a4f1c513820264f01bc1f1422a59dbb9ad7c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
1187d48ee886b61bed363927679cf213

SHA1
a8884fe5ee84d1c49fcaa947671c2bfa378157c5

SHA256
e90f517722a72d4e23f70cae3e42b46130f66d7d5d6a5e479cf3c23a9e9f1135

SHA512
4ce03a0deb0242069529c59f5f130369fee11b0ac76aa6fc3398680c64df414d1b59e67701a1e162a14fc2d9ce4a687a69f0c07c315f57bb60884bedcc60d4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
566da6c0cb53986951a02d7dcd3e6d1a

SHA1
68f2b6103c47064709f48c682a6093e5620722ef

SHA256
21f32f537d18c4cdd9b6a2ef134539b9dac682addd833ba295fc13267635e4dc

SHA512
57719a4ec9514301772a8590364333af967d1a4ab3191c2e2a458d93c5cab54f35c5d2fb7d543622c6b14f1dc9621a4d5e0e7df8bb35a316173e065f14421111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
5f395c2f1671545de6fad8230b5aafc8

SHA1
dff1bb369825c62a7bdacbbe5841362b7f289e2d

SHA256
0e82f632cd86dad51bbba8c649d1c986df46241314f94ca2d9af700a0eef3a38

SHA512
6ba74bdcccae19147dbad71cb1e2b7482f6b8b3b0f48ece4d0a3344bfb2c8c9f3fef8ad15dafa6a5a29b0d91c200a126615090d0816228381eec26e53380a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
3532e6e6b04ce28054889a8c0db2f4ae

SHA1
b34a6f8e373cf0b3f0f378a53780fd32f88e6aae

SHA256
0203fb2ca7c60b3476265f499c741fab4809c8c772efd1738b8ed41e364110ab

SHA512
32d8a1c2e3d43234281008dcbc3e78ee09c7c88597ce6d1cdc067b60f65694c07b18b205f95cc65212a063971b0f1d1574444caf132ad5a9c3fda9f7dca87424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
558114fa4a5e5add5af8912f8c3abf2a

SHA1
24e5b092618c85f978b421495267d049eb2c40fa

SHA256
05c4e1df16fe0183bc508741fd9feb2df7adacb9d751ebfdabc8ebe35c14afe9

SHA512
a7ecfaf65939eb97bd9db99f776821796f4176e6b7508bce3a5d71aa6742e073fc28bca40e09b5a00d78f85ad32a67ba3f2b709b3097047c2e36778899efaf0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a97a5cb42b9480a0020804f39dddc316

SHA1
b94405db0bbfe34503e9dabe354dda3f57e47f26

SHA256
c44ea03fd4631ef5da0758a0d201e86f0c47db31a7dd357ae72d5810e48fb8b3

SHA512
b2ff4f74f92f7a215a8100ef4568fa540b2c7b65bbd634cf6ee4b5ce7fd3c47a549f58f9b8b46715cf420b2e0019a00d58a27ee4feb73a33c6e07929f5bcb60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0c36e30e-f1b8-4ebb-8378-1671b3e10658\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a7a21d43-7eb8-4a56-865b-1ad890a7c32b\index-dir\the-real-index

Filesize
624B

MD5
73b785fc25b59b5b4f4405c9895e0e6b

SHA1
e6cce59b39bff1f2ff50d4e52ba81b65a02b6ac1

SHA256
35533cf8de847c9384964342ce2ac7e2e1c9070588a3af626cc0c18f067885ef

SHA512
75ec0ac0c813459411a80ee75e73741ec7e7aed4e39a441e2397ede9106a1a2cb0582cca666fcd710c8b920210bf92566176f56bc8e928d2c3ce05324188237f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a7a21d43-7eb8-4a56-865b-1ad890a7c32b\index-dir\the-real-index~RFe58bc27.TMP

Filesize
48B

MD5
3654309370399a84775e746bcff5fa25

SHA1
a02b5e6f9bb154c3567bf0179ec98f7b17bf0143

SHA256
c9ad4bb25df911174da2b93d5819a40952da086796bf57a69f95c71dccd99332

SHA512
29a01b9fe00c1be1970f884aafee7e778f1306575ef957ee6f4a7de31fb9a7555845d885b3a70b9ec1256767db42d8b6c53bbcede25c90ad9dda5bddba7631a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b3d666c6-04e6-4365-9e16-fafb7f16fb07\index-dir\the-real-index

Filesize
2KB

MD5
c3fc98314435e42817a7c0285993b58f

SHA1
3d18838a0d565cdf3cbc702e52373a174bfde98d

SHA256
fc5a03ac25c5e160e67dccbba1ab916bc25153a24c592a8dc18460a9f0e5c911

SHA512
e50128d027a97571aef463e502bff74f70cd16002cf1c3de01f893cfce08d47d7083ff57982a28b64ea64399dd0c72bd8419be11a21d00db8e79e594415e253e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b3d666c6-04e6-4365-9e16-fafb7f16fb07\index-dir\the-real-index~RFe5862dc.TMP

Filesize
48B

MD5
dc70eebe149dcb8671a8887f7e7406ec

SHA1
60a2e55049e86612b0bd3c0bf3056e1eb8df4013

SHA256
108f648082ad7a37b40b8afed53940a9bd43ab469cd38e3b8bfee39fc189dd87

SHA512
8992dbb1498c55b358e3071ed56a795d51cb21342cae535dc2e6cdad2e83dba4e81059a4e521957975a91f51eae48e1dc5da1ae6746446621680b7637b8d1975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
6b5e0041ea68105625d32dd924592eda

SHA1
27f86a60cc60b39d1d0599de49699dbaaf098579

SHA256
e86e8c4f888803d3d2c6579076353a36ddb08887b7074ab62124fced9376c032

SHA512
a9c4b4de3c9242b2866affbf2ab4cc33aeb8e57d347c42efa908dd8c694b30ba89b5d14abb28da33f7e0ae7bfef59688084f59e02381fd6f1ed31f0a16a26d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
82afebd7663fb6001125db2fd5406a52

SHA1
6b6e18681611e9d7e2249a7d300779d2394d2aa5

SHA256
721dc0bca507631e419fb288de8cf94d4bd93b06c9f0cf3e800ca2cdcc424734

SHA512
4befe9174a0d741f331692a34d5c3dce037c64ec661561a89d6c7430e58d81983976c88622dc7691178bcbe15da87e21ac03172cce176fbf148cf4a5c9d86970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
d22e53f689e417637e6393c89c617666

SHA1
f1ff335c08f73564efba624b5eb6656a81aac85d

SHA256
6a99a0e9f75e494bf0e7f323b283381ed61ca2f92e7a419f5ceeeda185f00979

SHA512
37148186f2daec93385e94de78f664adf3dfa70927a658c9867750f1375bb40dd5be20558ef1f3a0abb28de07f7827decd20e6892cd8c663367299550bbfd241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
56228181a64454d8a34ee5c8be98d267

SHA1
e6e09710ae38b524532c4d1270e7a584e4390fe9

SHA256
541236741b8e186fb440962245e362b33c1c161e3bccd69efb15ad707199b517

SHA512
3750c2892d7ec348410d9198a057677ef0f75ad7353d73f7cdc37927d89b825b446bd457e33dad90459041278b084e45cf3f24472a6110054c20fb7aa4bcebd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
5fc0d01e95614f41f170a51683c00007

SHA1
5b30045b51891feeb37aad07a8d790b80194d5be

SHA256
40f40e99a68d3fa0a6d09e23c43117ada91cd094ecd8a3867eb5032d04a558c3

SHA512
98b224053fef174ec4b86825793181f26fb1ba9055517488a330f151bd4c3fd9e36187f337a82e59075fd663743d7c46a067960016e7704fdbc4980824726848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
5ca38621b3b4ebfdb4b9af81463c771d

SHA1
1882b99c725915d101fa5c4b12b51b37f625d504

SHA256
bfc830293fbb6569211895ef57d50a73006b69ce9fa69721a94a21e7b004fc4c

SHA512
0bb1024165e81b2c3d1d7069e0d7e2adcb2966991d12e988fded6f031974a1e56b9896404001824b6b91cd2d25098b80082a1f6a785ab0b9793141ab557faf73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5850f9.TMP

Filesize
89B

MD5
c89e9d0e2c754404236c7055505f0710

SHA1
0aad091d438d25eeff91f8ef30a6c7555cc3d406

SHA256
a45d6843bc381801bbea9b7c9e1a1036abae281b215004b7e9988368a30e3327

SHA512
9a60a6bd4afd2643efbc4e8875548ce7e1d5bd8b354d0e4eaf6f1c216d0e9b120728f70d9ee6a08eedf44c17f99687966751979d6fe288bc2ca39f5c8e4d5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
656e90276782f3ec8954ba087ec5593e

SHA1
d8f7cad46aa3980dbafa225c91f2c6f222f88927

SHA256
0da31daa3afef18eec35e06756c1aa2434a2ab0fa5cbfa94be605052b40c4416

SHA512
ba42428838cccdcd996fdc42f5de91e8ffa3ec118905554b02188cef3c0c8aed9bb988174cd4153e470e3f0a935f6b12e9a733e7d428fc6efb33a8b25a69edbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b522.TMP

Filesize
48B

MD5
5991566cede7fa073fc804d1fbb8c4f3

SHA1
1196bb13aee4a47679441b2ec3ad2e2a5041c78a

SHA256
7566ae595651d8c31bf54d6befee736df34fc45696d90d931495619f5655d779

SHA512
9e92c19eeea65ce11a7e1d4b421d1e256b8204cdd4c8bbefa287c0119b4cda75f09911416dc8afa289cc7e2f988818551a14a58ece0855991dff368cda683d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e347b96c8d2244b72c1677c4e38ccef9

SHA1
b9596e7afa888ee38dae1ca4cd314c1c9b8e003e

SHA256
f39305dfc34368ec621b0de93869700aacb7535bfafc1655b8e6abf0b5f30a5a

SHA512
99e8b8f6fd4d67fdffdeba388591f8cf381650e2019f8b87e990611f4a79e2968bf8d5fd9a0fe370b8b3a48aa8af90ad59ebc8b7aa5d2c4bb7e5d433014cc816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d36ad04007bfaafaa8bc0f003f492126

SHA1
2342db223fefe2093a722cb8d3e22f4fcb593009

SHA256
83b36684b1471a1225d57ea977ec1d5faf28ec872e80296db9d2cf2cd64b56b6

SHA512
d651cf6be607dd44e5f83ee0e2ede8507eb671e1b4ce67f692129292b42ddcd87341764398814c43a2c8fa59b26f76f3a89da4193f35e782472f21d2cf01ef38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
92b20a9f400d9e0fb7f804e1df92f9d5

SHA1
165ae681225901e943ae3870dfec4c7ba984e932

SHA256
fc49a2f02765bdbc6911d5e0ae1a5389ca60825fb2516b44ce6cdd26b656db6c

SHA512
e9068f9e43f3b361f0e23dd1aa762b12f93250c9c1e51af5f2baf165474d8c3350c18a9057db32eebe6b27930365bcc36d9c19f37d083a77bbe153ef6d30acdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dafe.TMP

Filesize
2KB

MD5
d1b345e2f09ba2f4bb47cedd51449e97

SHA1
426e8b7f44507574ba3d7d367b834f083aa08606

SHA256
ed3972d29171ae386ef577784014f29353ef0d7f5b2ebdddb11d703e10390f45

SHA512
477db526a78eccb882bc246017ecc1c4894ad1cafe1fb66342e6f17af0849fefb7772045be3e6a6d3b115ff40701533d14d72751f254c86f42a05229acf7b7e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a6469cb9d75cd563f84cb01f13c5fb2c

SHA1
0d8b7a1ca46a744f3b9dcb92f741307e2e6df4fd

SHA256
10d21a3861e8eb2572b3f2b2ad8af85931f64410cb112c35bce2bc747b2db44f

SHA512
eeb9b43790453e13041d1a1411a8a77e89c713d4f575b05a263380dd6e7602570a5ba2fd7215745ab187d3e0cbd0e511ec7f4244dbf300dc3494d51e576f2a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
59799b3922a71ae1649d1ec025fc2335

SHA1
818b5777efce5b28c7da1d705e3e511adcfec9e5

SHA256
5ab9bf52f7a9e5759358d35028f8be2f44a6d08eefdbcead7fa1de67b02eaf6e

SHA512
c8aeda3cac24c4904e53b9c261b1f1cdd7d873d1a7706034e1557479171f119b361b5e31ad58e252c523258937837805253f875cd44ed29598c28bfebe711580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1dda170c0ae19ecaecd6dee55a55d817

SHA1
65016e191737eaf052c7e050b8903f09c78ffadc

SHA256
4c6f17a2d2ad6d90f96c14f93c74c4d3ab7865fdfc735e63a4a52e4cf600dbf4

SHA512
f586824e74cbd6010b9ecbd51488e075670a52df5d7668bc0e87967fbff07b75f7bc79b1c0232f01ce0012f2217f948af6d9d0116bcf39ca97dc902d601a0577

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE77.tmp\EE78.tmp\EE79.bat

Filesize
68B

MD5
646c713009ef5caf7d3a3db983482149

SHA1
6362880bd6f2faf6a2d4c85155a44a07c015f587

SHA256
3037135e8fb4a77fd06f19150c38d785de741558376a0afba95a350eeb64a0ae

SHA512
2df2f3640e79818cb9ee0d31ff0cfedf1bb2ee9f92a2ad97f7c41256df4110b233751a82e28b77068f3859075fd7ce371c3dd5b2692106c2d7a21caa2fbd806c

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\Downloads\Xapse.zip

Filesize
415KB

MD5
6189db7c9380f6c1dbdccbc03ac3100b

SHA1
e426ee6c9df0168cddccf0bc13cb8b582b766e5c

SHA256
902ed95364247dbe1dfa2fc9489a02d22331d1833a430f957cdf22339db11ff0

SHA512
9c2c18fab15907165053e3008a3c495c640b35a60d14b77d438b765ecc20a540fd16cdde54920de7c181a1da6a277efdb759b237616870177c0be6444a08168c

Download Submit
C:\Windows\Installer\MSI1623.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSI16B2.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI1E07.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/3368-3591-0x000001CF7ADE0000-0x000001CF7AE56000-memory.dmp

Filesize
472KB

Download
memory/3368-3593-0x000001CF79E40000-0x000001CF79E5E000-memory.dmp

Filesize
120KB

Download
memory/3368-3592-0x000001CF79C90000-0x000001CF79CA2000-memory.dmp

Filesize
72KB

Download
memory/3368-3649-0x000001CF7B7D0000-0x000001CF7BA9A000-memory.dmp

Filesize
2.8MB

Download
memory/3368-230-0x000001CF77FD0000-0x000001CF77FE8000-memory.dmp

Filesize
96KB

Download
memory/3368-231-0x000001CF7A780000-0x000001CF7A942000-memory.dmp

Filesize
1.8MB

Download
memory/3368-233-0x000001CF7B0C0000-0x000001CF7B5E8000-memory.dmp

Filesize
5.2MB

Download
memory/3368-1243-0x000001CF7A5B0000-0x000001CF7A65A000-memory.dmp

Filesize
680KB

Download
memory/5272-2862-0x0000022CF8C10000-0x0000022CF8C22000-memory.dmp

Filesize
72KB

Download
memory/5272-2742-0x0000022CF8BC0000-0x0000022CF8BCA000-memory.dmp

Filesize
40KB

Download
memory/5272-232-0x0000022CDE300000-0x0000022CDE3FA000-memory.dmp

Filesize
1000KB

Download
memory/5272-235-0x0000022CDE880000-0x0000022CDE8A2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads