discordrat | hxxps://www[.]mediafire[.]com/file/mizdk5pdyjew6u3/free[.]zip/file

Resubmissions

29-09-2024 13:56

240929-q8xfgaxaqj 10

29-09-2024 13:55

29-09-2024 13:50

29-09-2024 13:49

29-09-2024 13:43

Analysis

max time kernel
58s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 13:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.mediafire.com/file/mizdk5pdyjew6u3/free.zip/file

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NTMzMjE4NzIyNjU3MDg5NQ.G8JbnQ.e3hcNRGJvvOi8ZO6GYOCKIQI-BykD71Mo5llnc
server_id
1281541058815066162

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
3504	free ad blocker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
532	discord.com
533	discord.com
536	discord.com
539	discord.com
540	discord.com
541	discord.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\free.zip:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5516	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	firefox.exe
Token: SeDebugPrivilege	4268	firefox.exe
Token: SeDebugPrivilege	4268	firefox.exe
Token: SeRestorePrivilege	5828	7zG.exe
Token: 35	5828	7zG.exe
Token: SeSecurityPrivilege	5828	7zG.exe
Token: SeSecurityPrivilege	5828	7zG.exe
Token: SeDebugPrivilege	3504	free ad blocker.exe
Token: SeDebugPrivilege	1368	taskmgr.exe
Token: SeSystemProfilePrivilege	1368	taskmgr.exe
Token: SeCreateGlobalPrivilege	1368	taskmgr.exe
Token: SeShutdownPrivilege	3504	free ad blocker.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
5828	7zG.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe
1368	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe
4268	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 3880 wrote to memory of 4268	3880	firefox.exe	83
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 3248	4268	firefox.exe	84
PID 4268 wrote to memory of 4116	4268	firefox.exe	85
PID 4268 wrote to memory of 4116	4268	firefox.exe	85
PID 4268 wrote to memory of 4116	4268	firefox.exe	85
PID 4268 wrote to memory of 4116	4268	firefox.exe	85
PID 4268 wrote to memory of 4116	4268	firefox.exe	85
PID 4268 wrote to memory of 4116	4268	firefox.exe	85
PID 4268 wrote to memory of 4116	4268	firefox.exe	85
PID 4268 wrote to memory of 4116	4268	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.mediafire.com/file/mizdk5pdyjew6u3/free.zip/file"
1⤵
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.mediafire.com/file/mizdk5pdyjew6u3/free.zip/file
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a89a956c-ef15-4b0d-902a-5cf1105df83d} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" gpu
    3⤵
    PID:3248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3432b465-44f9-4cc2-a75e-d2612d33de17} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" socket
    3⤵
    PID:4116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 2808 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92255e8a-c59a-4282-b58a-23d33c93e0e3} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4d1dd8b-5f7c-4807-87be-99a6d652a8a8} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:3536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4372 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4408 -prefMapHandle 4376 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a3ec74d-adfc-4f04-8f3e-f64e85808991} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" utility
    3⤵
    - Checks processor information in registry
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 3 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bdc8087-8596-4372-a712-57d7db4b9b72} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93903a37-e984-4e5a-8c71-5c2148141ca0} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:1316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5916 -childID 5 -isForBrowser -prefsHandle 4676 -prefMapHandle 5156 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4831459-1c1f-45d2-b2ac-8be02ef67175} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6192 -parentBuildID 20240401114208 -prefsHandle 6180 -prefMapHandle 5896 -prefsLen 29278 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5215e637-2c29-4d73-aba2-122abe794d41} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" rdd
    3⤵
    PID:4532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 6 -isForBrowser -prefsHandle 6800 -prefMapHandle 6792 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d107417b-025c-44bb-9d16-52437ff189d9} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:4948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6932 -childID 7 -isForBrowser -prefsHandle 6944 -prefMapHandle 6716 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7fea82a-4d7a-4420-80f1-9db3d2cadf4b} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7116 -childID 8 -isForBrowser -prefsHandle 7124 -prefMapHandle 7128 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bfd646e-e650-4d13-aa4a-81c574a94f5b} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:5092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7316 -childID 9 -isForBrowser -prefsHandle 7324 -prefMapHandle 7328 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {715d2d00-a73a-405c-8186-3fbfe3d3eb9e} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:2768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6976 -childID 10 -isForBrowser -prefsHandle 6984 -prefMapHandle 6988 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b08b7f-f874-4e5b-9a9b-2b7d36631964} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:3380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7172 -childID 11 -isForBrowser -prefsHandle 5916 -prefMapHandle 7204 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0edf376-ebb0-489c-ab23-ccc556f654b9} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:3496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 12 -isForBrowser -prefsHandle 7996 -prefMapHandle 7952 -prefsLen 27188 -prefMapSize 244658 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b1e7c00-a131-4439-aac5-a62780022310} 4268 "\\.\pipe\gecko-crash-server-pipe.4268" tab
    3⤵
    PID:6096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5228

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\free\" -ad -an -ai#7zMap5204:66:7zEvent1656
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5828

C:\Users\Admin\Desktop\free\free ad blocker.exe
"C:\Users\Admin\Desktop\free\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77free ad blocker.exe" /tr "'C:\Users\Admin\Desktop\free\free ad blocker.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5516

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
e24dfbbd5470b959c5bf3690195adac4

SHA1
b513fac7f92d429178c4311bc8d5b19bbce11fa5

SHA256
c8279299ac4c15de651f0c974f450b228fa6820830e2dde678cfd8d2f3138ba0

SHA512
6f79142b7ed429ffdcd5118d328c74902e7d3568a644d891a99d9c55dffbfaaf3f912013f699d716107aee9108cd747bce7fcbb474f171617f42c99a37f2d43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
6KB

MD5
254ea765705123e8ce2c3bfd7f42805c

SHA1
3c17d6a8721c67a8bf38b14bcfa32b0f2e3a1c11

SHA256
03c0ec59d1e5606b8368fd8206425c0dcef0c2ae809f4e21b339e4b46dd3d55b

SHA512
f6b058c555b8e3675b1ff4cdd69a311de68efffcbcb1406bf3b1149f0bc8214a514664be9481438387d2463d3a0e1780d4f8c355f0e861fbac400e49234a0a58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
51KB

MD5
6ebf04bc6a4e17910a292bcab89c9922

SHA1
92f5e30a34e270d44c0b09fd7106d10fa2ce7074

SHA256
8706976beeec347fa19af5e7cba4169aeea787a74919085d4147aa0cebe4bd56

SHA512
af8be92624239b9f40666080dcff2a2622ecc86a7f5b141632ac80a5bb03aaf81f459209fdd11d30dea47cb6df3b8d4c7b573c6013127119aac4176769e4342a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
9065ce9babcaf2fc50e242fa56213cfc

SHA1
d3054a7bb82bad9979b674456d6a7588fa7f96c7

SHA256
63880361b07869d519ea33a529e62d3e1010aea975ef7ed4ee859e377eae9668

SHA512
1ea1bc12ac8e062deed74cb2f7a9b0b2ecb1a61a5d55bede54c7eeacc4df9ee354cdfab372814e202fc22af947687c35b7f2e7f722d67b466654efa1e6b17c9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
639a877368bf1f1fe1f8baf026c5dcb9

SHA1
6b5591c54782e3a31bfae7aea0a59e2c75b7ebc3

SHA256
6e8b19ba8463ebeecddae0e959db9693175c7c4e38d96f074de6427598afa78a

SHA512
fe0f2f435522643cb7402a2530a88e81d7fc1746b91627dd9109f68ea1f0119a176edebfe2eeabd5c58b770feaa8c50e9d8a104ed550e50b7c3c19fbf5683db9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
966f96dca3440757773da3eecaa33a7a

SHA1
059d5e6ec1d66e80d56ed669fcee05f9a82e7681

SHA256
a3f36f7a0771acf2d50c36d9cb5d169de72db1b1915c988aadb15bbb3863de5a

SHA512
1cd575557c7b86ea1b61c12df687223e0f525e6c45e0936b16c3824a0a3958a5ee904480a68f93cd270c81f2d67c75283d65caf6012df01bbee19c3d7686017d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\26c8acdb-5fdb-4b4d-aeb3-d2d1aa1896c5

Filesize
26KB

MD5
0ff447b6f1f520ece631175facb6564a

SHA1
490f6e6a970cbde3a83faeec37a4a2818baaec8a

SHA256
096fd7cd3a031e476128c69116c0a9e1c4fdbd68ac7566a0268c5393e7ad93c3

SHA512
0aa4f42b680807015ea6dd3ba74443662936af7a5fb5f86458fc2f3fd6b5f935f89e1698a7e52ad14cb6a0ba1ed22df79e39e859be0893e80ff2ffe24c48bba2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\78005b6d-dcf3-4144-ac0e-66d655193fc1

Filesize
671B

MD5
e3c98e692f1b50f7a1ee7d65231ca7ae

SHA1
4226b23d4ee250eb3a780317013ce595aa3586e7

SHA256
80b7d6aafb1bade497fe0d1ef4049782dc202b290270c8ee793f00d472fa9893

SHA512
daacd3fb9bdb8396a76fd4c7dd90ec558c457fb9429504dc9343a5fd2697eb3ebdef82ea706869e0bcc5b65f05d25a1bb8517f492ec7dfb80e39135d130aaa3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\9869ac62-4f36-4bda-b84d-f9f15c90ab10

Filesize
982B

MD5
1edaf80da54b2a67cce4d2b3f8e82746

SHA1
82f71391a960edc1457bf66bbbe8d24034c9e81e

SHA256
071b0a3606313b818aa86927f134845fa49042b9728679bb5c2bcdaeaf9701ad

SHA512
da9db3ff6d3f8d125057839aa3b3a62e35fbdf66f39a9863c6fbac0501878234d623fcea3aa3609d01a05051cfb2e87e997805730ce4212cf6375fe5b0e56339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
f6126459a002e0311d0bede10c7a2091

SHA1
aefdf7acea2e9bfddff34fb8cda5c12192b38ed4

SHA256
6728cfac912dd6e175ee134934db69f3fd8c479d8d9dd1bd81dea4b0463943eb

SHA512
98bcecba513bef66bb6f180b192ff17aa896f72eede452dccf93d5735f19358198825b5649a23c4d0d68213313563f1524121eb5ec491ad28900fe7ec2d5bda1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
0b5cdba0c4184359e0ee2d5651cc9d47

SHA1
7d215274aba125ec3caeff0f11270319d946b9f2

SHA256
25e389e4af258a391c419c2a656df15fa379dc55c534202b8845e9b1fc680e34

SHA512
9f67ecdfa1a62aa1d56f0e0e64d9aac42cc0d5a760bfbe366f047fac12fde66c5096383007f0c305a7cc260fe5b1e10ccf70f60d49d93ecac527bebfc5877f27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
e450dc8f1d8dc5bcb6f8f80c62f5818b

SHA1
94a2065ac14161d79896e8b543d3178583b63240

SHA256
2f6965927a273c0381bae3d3414078e7c2325df4f8b6db5e3280c6e1eaa50310

SHA512
81ce0d951e261317b0df40f0d4571f3fd94e439e8941780ede3d71d75a3e2ad1fa92cfacb814a8104874b08454a203c4dc35de91de3e50fc8ff639933ad085e2

Download Submit
C:\Users\Admin\Desktop\CompareConnect.mhtml

Filesize
418KB

MD5
c0ca440ac4b340228674b3444fa14b84

SHA1
848e3db998dd9df372bb9d600919b60e83e7a113

SHA256
a3c0fce1f649cd32acf5baac74953564ace1a32d9a470ca372aacc5c1fc864ad

SHA512
1283fe7060e5a9c40eedcbe7366cd4c746255dd1ba8706564c4520624ec42c3dcdc8d734210578c9427e7a56821adecf72bc77198a1126d0ccb24e6853c486f6

Download Submit
C:\Users\Admin\Desktop\CompressResume.xltm

Filesize
820KB

MD5
f28a59a59280e35581700df16defc452

SHA1
3f44139a16274566e3d8d280152ea92f3bf5a4b9

SHA256
e517c3282ae5cbfe1c88c6e921c0e8cd3392434418132a7ea10e959523b833c1

SHA512
c4dfdc71082126ce72fa566844c4416fcde8822c81a84695eb80c8b5e68c39e443a0dc49daead94bedb576d5b7ba2ef6ef54d6cef31a44eb0e91b02da39909b1

Download Submit
C:\Users\Admin\Desktop\CopyCheckpoint.MTS

Filesize
882KB

MD5
e1abf4f14eefc0a3ea79dc79da8c6dc4

SHA1
feab2859fc372df23bedab1e725012329eee88d6

SHA256
6d6db62d979b0754903006e1cb3fb8288a4d945e40dcccbd1b8775cff15dd722

SHA512
3e382faa86db982cc1079d258ac38fbaee32a6fb7d2fff24e5cdb4fdd6c06cc5f59138a39f18e7e456ce67889f4651c27e9a1c4e9b163df6333ace6b03b89038

Download Submit
C:\Users\Admin\Desktop\EditRevoke.jpeg

Filesize
944KB

MD5
05a2131bd4eee94270d966f6fae5f645

SHA1
94faa70cdd3e41c8e9de4900d9df09dc96bb7867

SHA256
7e8d8db39d45e4f09f1359d6151c4633d67eafa6ceb7a45cfcf4f5d3831f1d01

SHA512
10c9dec56bdc6b73ac5071718bb1309253ef5de55542347283991cdc3817851a01c0606c821a64481ec39e11a8ebaadd2b2816edee782686bfeb2987f5ff9108

Download Submit
C:\Users\Admin\Desktop\EnterUndo.ADTS

Filesize
758KB

MD5
86284f84d88a7cdb619b7211cf8d5409

SHA1
9aa20a8ca2cf5bfcd00d8c9eda556ca8a6c10ae7

SHA256
58e8e91b3ba69b765235d07dd82d8ebf204f1a19d403354495964e466d2960fd

SHA512
e4fc3252f622d89cab327c297d7f85d62406204a89a82cf70a3a9ea1e4ff0606922c7a9407135060a650b67ac577a6361b8d1ca07223472bab2e6811f4fc3520

Download Submit
C:\Users\Admin\Desktop\ExitSubmit.png

Filesize
696KB

MD5
5b77c61c5d3db57afd942db8550e5fad

SHA1
b1d70abc35c545575b3c5dc36b5b1543d659d54b

SHA256
e02264e3cfe54ff6b9568f2de8dffa626ceacf2611bee0ab60d2190b8487084e

SHA512
c0c971980b28e465aff99533d575f108ed1bc591b705d8a527e6d134b8dcd7874a4cde6614002537cc7c889c7c7224b1efec4aecc034b694311d9bcac7e8d9f6

Download Submit
C:\Users\Admin\Desktop\FindClose.ppsm

Filesize
387KB

MD5
1c1ffbea1cf640916f38877284c5eeb2

SHA1
0d1905a3df4bb4b75e647edc6f8329751ea20155

SHA256
8ed44af40eb251c1f74eda42cb61f112eadef4b64234174d469292082491690a

SHA512
815b77ec388c4716d64f87b4f0d50fea8a34ad26f7f3dde08e5bffd381986cd65ef838023c3df30a4145c2aacfd65ae8a4e888ed2ecc212f5efcbf3a9221e590

Download Submit
C:\Users\Admin\Desktop\HideResolve.WTV

Filesize
975KB

MD5
b9a33b8960261f20c48eeada07c0cb93

SHA1
0c136d118f88960d80cca22cad9cde5f9ade4f67

SHA256
503865719c3d27e2de1ded4e4fdbe7e677dd93a43e87770ec546677bb04a2463

SHA512
0f645d039312bbf4ca7ed562a2b2f86f7dc793e4ede345fd9db1d6476f1b64af2f7534833a9af3e1276d6a70065ee370292a9d39cf97b0b6d7e38d73c408f54b

Download Submit
C:\Users\Admin\Desktop\JoinConfirm.docx

Filesize
19KB

MD5
dcd2a36ff8203b006decc0a3e184d1b9

SHA1
de0ab5bd28e239882c6868d627f0c1b3190e0164

SHA256
5f2c2b9253d11a5ad39c89a0e07318b76d76d13129db007d739ee8f757db4a31

SHA512
a0211564613a2af3c059e7f277d7ef4046d7279aa930b7c3a9c5c9ab26b44c443d9053e1ad0b56d57203f91bc9f618f419751e7e9fdadaed39fe3d173d4949c0

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
8a09535d0b9ef0bb39b5d16d226970f4

SHA1
f71732d6b2816d62f32191e74e8bdeed5b444d3d

SHA256
0dbfd9d243a9ae62ac99caaa20f52c1a422203469f9e3469d7675b1b4e06d941

SHA512
e34dcd0dfcba6fd8416b21168561724a4431eb726e280b1619cde6afd1454e272d41842abb798ce326de1a93d358ee14c9be99192974668e142a8d292459ac5a

Download Submit
C:\Users\Admin\Desktop\OpenResolve.mp4v

Filesize
789KB

MD5
35fdce392c6e082a43d0f6c3ba6fa63f

SHA1
6b74790b839d6dc9e2ed15b8dc9ca74cbde0a2fd

SHA256
b3c5be5d5c16c8079a46983007ace74a782efbb009466141479c1c4c7c2e0250

SHA512
053e43ebb427a35504ab37fd4865d59bcd16ca7fde7ba10af55387f771b3d1d0a57f9ec5a86825f2325e39a96a0014a89a0b76c476b55e70f0387df89252c662

Download Submit
C:\Users\Admin\Desktop\ProtectFind.mpg

Filesize
851KB

MD5
38403cc3fb61622e0a031b4c631310e0

SHA1
889957cb7f0d51d102a1a80c708ac6e0d2a505e9

SHA256
caf29e42c42aba29d6bce3e06ebf57f050d31d884c2846bc62c1a2e80153c2ce

SHA512
46473be980aebd739d4643edc8a777de3e7054c30d51569920bae95a2e6c5f7a1a3eada2ef55ff75f0ca8cc908e879114fd7dc105e17f0eb823752aef45a137d

Download Submit
C:\Users\Admin\Desktop\ReceiveFormat.txt

Filesize
542KB

MD5
ad32e8f915a8ec2f8970f8468fdbfd67

SHA1
5f85fd113dde9e2b1d4a92ac91d3bbb6d76985d0

SHA256
93aca77181cb51a59c171cfeacec63e2504da0ec29ac503b2fdf1c5aa16b0d30

SHA512
3f65da0c3fd615463fed331c4e16a1b26a9d63b4973b4bc740936852511452a903c9813459e7d6d4033310205d77575b9ffd70719fdef97e7d5b6bcc0ea1fc50

Download Submit
C:\Users\Admin\Desktop\ReceiveResolve.cmd

Filesize
356KB

MD5
e74b45803a154772c907514af66f3b8e

SHA1
8ade5f84343fa9731dfc9d51ccb1ee781300f956

SHA256
7fe58d06c5a8747b02b7273131959736803f3ea54a1d776135437ff79b72324c

SHA512
606cc7728d47d6fc84200a10561c49c16c4d33587480cea941c2a789c3a9e759ca08cc2460011f3097cd0ba50bb3202bea9daf2e022279b4f7bdfaeac6554108

Download Submit
C:\Users\Admin\Desktop\RedoBackup.exe

Filesize
634KB

MD5
b27c475abea528d2ddd4fc40caa88e01

SHA1
597445a3b3e8fc4409898f32b5d09104d7a1f89b

SHA256
9d1d0b5b2e48c85545e7b058cd446e23033810ca4d73cbacd5f96f5fb66b13a4

SHA512
05458c01e32ce5721e396e1443bf7b6a4ed59763622c46fd730a8f5b762b1985e4c6862778192a2d9ac09a4e598b0824f916c23c9efa4631843b29bd1fbf72d2

Download Submit
C:\Users\Admin\Desktop\RemoveDisable.docx

Filesize
15KB

MD5
a8d91c10da694868e883588e91cc132a

SHA1
dfa9c169a2d6de1d4cf231659185fccf3d143b17

SHA256
06f993379fee045c74bcbfce2b790df04bf8609cba78df4632aa20c8f5e96400

SHA512
54b1a42585482359c64e624028882e3949e4e4eb581b9dd120d3312f49eec3bbf971c5ce07849f3720c1adc5b10af1f0e8e12563b687e7630b13187229849998

Download Submit
C:\Users\Admin\Desktop\RevokeSearch.exe

Filesize
1006KB

MD5
f4ccf7bf821dedbae683065c22393ffe

SHA1
f62bc2a1ba69f5abeda9f5157293b4275fc96c06

SHA256
6c08e98377de4ac7e7c15970ede7158b34bbb6d1901fac18b56329e6aeeb1991

SHA512
15b27407a3bd264218fc805a3b44c088adda64c2e1371624af28f94af80a62e49fdbfcd09755b1e25bbd2025a2d8550dbd822a47c35f4b8a82a2f519391f340e

Download Submit
C:\Users\Admin\Desktop\SelectPublish.dwg

Filesize
665KB

MD5
3ad531a7b1685a95da2dd82d8700435b

SHA1
a269a9d274e89e3f020980b4ec66d738f6698c57

SHA256
db70e8955f5dc2db97ab6aa30c8e986873ed7f5f9a9d2acd2ade62686094c3a5

SHA512
9f4b85140a121ec71b590eb49a2f12156b3466845ea7bfbb8c319e8fc0aa7c4817d32685ee77b24fe95bb161aabdf7cc50bfac2c5ec2c845d08eeded7a0990b8

Download Submit
C:\Users\Admin\Desktop\ShowLimit.pot

Filesize
603KB

MD5
303f1f74b76885512a6356777fa2ddbb

SHA1
5ba91b79e114a8d4dad8c4c3505d36fb6cc811c0

SHA256
6312e043faa912187681d90e057a05293f65bb83793db19038efbb8dbc35d46b

SHA512
49913cb8d971679ceacd2c360bde7ae9380a42f23589f42d1e8c82604fb727db99e4274f05cdb075a101b0ef9e80a7eed8d7530777257ed5211d2e8b457e7154

Download Submit
C:\Users\Admin\Desktop\SplitSave.temp

Filesize
480KB

MD5
66a94cfba35412621ae4ff5e855d80a5

SHA1
4c695a7aeee5eb7ebdc45e7a013abe4e9dec14b8

SHA256
06dd6fd365670eced1acb51df647804373c681da9f4d95290009fb418a7a7e29

SHA512
ff1f06fa0e8437f0e726c02a25c89edd215cacd5b6ea4c097bc2e65c8f586df212b4c5f708cc9e08b2174d4c1ea6fbba2ebd86b73ee3966c33d408c537b25a2c

Download Submit
C:\Users\Admin\Desktop\StepGrant.3gpp

Filesize
727KB

MD5
97be153315c3c77f93b56897ea3ab80a

SHA1
a2208a3a5c4d7a25daa002095730cda8debd455a

SHA256
502f1e6b3ee795f5e25864847dab1fa88aff303f4db7270339d71bd1ce6a0f12

SHA512
fd68b90ec8369ec74c9cdf4b7f3fe9cb9fe80a81bb85164c572d7ba13aa4ae68e6baef4bff47017621e03f2e2e07fb07a22cc2f1fe076e90c8611b12e736a3e1

Download Submit
C:\Users\Admin\Desktop\StopMeasure.xlsx

Filesize
12KB

MD5
9e64bf5a2e38c90d964fcbc76d8df18c

SHA1
64ad2418035f5d8a3980f3a108fdaa8f651cbda2

SHA256
78db8514f52c2a7e9536d69200eeb926c3207f3f33af0a58656fe2a87271cb97

SHA512
94a84585d12e497807f3f69a8d39e7a6c39d736e7969445bfb09a944fb95e4dc46f22c6ba7dc20cb4fa1251101e94c7a68f43ab60dbd804c5e26cf93aac24247

Download Submit
C:\Users\Admin\Desktop\SwitchRestart.xlsx

Filesize
10KB

MD5
a50f88a62933f4fd579c525cd0111a4e

SHA1
7b0663f3612157b6522d4e45daca9febfbba559f

SHA256
5e87d5be2d80b70b4cdbeaa9023b155dff38ddfb2dc15d3dde3dffac36ed0405

SHA512
89d7398007841255356d284aa3ad2692c589685f93186b3a30dd354eace1e2cc8adaca5629eb77c1471fa137d1fdfadfd1b69198026b118086235c3246575e5a

Download Submit
C:\Users\Admin\Desktop\TestSearch.docx

Filesize
19KB

MD5
68e1a2e558b8c6d1066bd06bac720202

SHA1
9e6a56e40edf2d39411c273a5a0edcc7f85cafd8

SHA256
931a45c45d52b6198d9e516548f0243f24fe15aee3da8ccdd68afde866e0dbbe

SHA512
6ce0e5f1c7d5f45530aaa0481124781b862f7209f760da1385b2a82f21f995b1112b3936e6e41c82584f92df4bb9158796e73282268361e0ed20dd7b1ea4890a

Download Submit
C:\Users\Admin\Desktop\UninstallPublish.cab

Filesize
572KB

MD5
2b95bbf99b6f71bebc19a00400ece309

SHA1
64259234b243795c105536c60fdee3356964eaf3

SHA256
89f8b6206235e8bd9f22fb1498e8777dfad77e9c0e283b670e29f0b9ab28c567

SHA512
98fe7655bb878e40faf67bdb880096faaa0f5b06224336b8e54db6dca0716be738138fd1d7a25f1ff4c5391c9fb056789ffe3f66824af37b49c6258af15bd166

Download Submit
C:\Users\Admin\Desktop\UnregisterDisconnect.M2V

Filesize
449KB

MD5
850997cc95180301a0d8f73e9446bb7d

SHA1
f4bd49143d66719413a9527cd0dbd51603458d20

SHA256
826524b159f2b6db5224542bbf375cd195b4048390fb3d3cd4db72f23f37e34d

SHA512
fa91c2b4f7f6d871bb21cf5a8692551b4de6c898b4bd9fd177166d095d111feca8593ab5dcfa9ebf7c3d9d928c04eea622b8d3dbeb2d89c25db7cf72d8ba7d9a

Download Submit
C:\Users\Admin\Desktop\UnregisterTest.lnk

Filesize
913KB

MD5
efadfd01436f899619df079a4b92f49e

SHA1
bd9108e7aaf991c2a0569fce6f43637886be2ea6

SHA256
43b1f0d09b128ba5488d3c84c1c2922a8eac9a29580a274f024ef7b722260cca

SHA512
a59860cbc13df8d15218d55ca858dc279e3595966504f567ae53aa1f98b9839cedbad314654643fda49dd0e61b94c2a6cc2868ad5fab4f63addf7dccd579ea07

Download Submit
C:\Users\Admin\Desktop\WriteConvertTo.i64

Filesize
1.4MB

MD5
9e6e28d97d0d3684208b1da964b070ad

SHA1
84d99e0eb453a0c7994c606f7ba978028ee51db1

SHA256
6b3339a8e4c80c55fce58794d5ea1f7a13a4796893210053f44d7fd4ba30dede

SHA512
b990fa893849228a5767659cc01d01238ca20c0c4a9e9e18302bd27bc70fdfa9696d26caf8ba9065291f06bca04cb66b0999c330460074601177d565e256b67f

Download Submit
C:\Users\Admin\Desktop\WriteRevoke.emz

Filesize
511KB

MD5
bf32947ec0a54e3329b7f14a3ea3370f

SHA1
b7fe1b1c71c43f41617232cd9f72dbbcf69b58da

SHA256
a23c3a9b1f81fd0c219f6e4dd21e23264937c839bfa104c45b27ec5a40eee9c5

SHA512
93cf8c5e8a4adb00bd7e7c0d453528c3a1113649b83d3c08235ecca7c335437dfc92299c1b3f6bd29fa00c21b7296b5a93fd622ddcb4a1d119c687b7c4ef0f7a

Download Submit
C:\Users\Admin\Desktop\free\free ad blocker.exe

Filesize
78KB

MD5
e97e6c4b84ebe3f39a84b274f2923420

SHA1
2b66fcdaf064cb73197341f6d4a9c17ad54b01c4

SHA256
da4aa77f84aec83c245fec4e29a3494c2e9210597b32c5b55f0f9ac288dbb1fe

SHA512
540439d42142f4d51f130efba5e505d80e524610a94e8bde8602e2acc9586c007671e750ae219b0cb8e21ba4360e5754b6e31465aea66ce0ce544c4c0b30d060

Download Submit
C:\Users\Admin\Downloads\vDNwbkEP.zip.part

Filesize
28KB

MD5
b01d2c1febbe930daba2e48d14f1fdf6

SHA1
b88afcd2fd223693abe39381226ff16dcc227024

SHA256
d447ad3e8fba942d645b116ef4cce892bc7dc230b15a1d1d313298f97fe947cc

SHA512
077deb748632cb3d1b82364d1b326439f54938a665c086156eb1fbd8f87fa97cadde9fdbf80c8b6682d679fd982feac807b2bec3e9e32828b81203d04e4e6729

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
1b99e9c0b18a8ff11628c78ae7ec8b22

SHA1
1c7498935760542ffb55042b1107b187366ab867

SHA256
16a6a0ee84ea6ec319455a8cbdc0a07d9cc6611e82990f9409693540e33e4cb2

SHA512
4971dc65ef122cfe0f2f692bc9e51a1155528b54de464a70803166e55e3c36901615e8d56a73a7628f5ad2e805c0f352a93ff6a8bbd86ff4a9f06573a8f994c8

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
4942c4c797eed6534d0792598d08fbe7

SHA1
66be92c5edc30be7c9788f62396db6b5e64dda6f

SHA256
bc26b6153689daf93433103e32a3cf4bbcc4db3e9fb86a6fc04e6d6b81377fda

SHA512
db4d5f96662252219459b35e26e0ed21bab96369062db35bc98c320d1222ce4fc6ff46fe780c80ff17545cbdae791a5b336aa2dfab9f494a365a15af64cfe6da

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
6a8ef17f2fe9cacfe23e81d7409a3abb

SHA1
7c13152fecc4bcb0a87a7b74295cd76e79c66025

SHA256
a8136f466aab7ae5ec676bff17c64a081ae5fe68de080f9f1cc07a1e902e7d0f

SHA512
a0a2112f7b71cb71b7476aec1535b5d3f4505e426e7484ce413a7a123b58aa4dd164fa6f2565bba7a4a11ee27c3252e9b06b7c6851f999e5164153cb0a736821

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
134ef290d60394e43e872257422568bf

SHA1
51bc930c102728866e0782014e29a117d07467d4

SHA256
59ceb15e1204242d95ccf8774e928507c8ca0f7ef390c03a07b0fbcfa85459bc

SHA512
ad2b62d2920cd50a6fc170c15bacfd58e817e8f8b868245fe9e478cf2bdc985ceb745c7f237eb0bc39ccbbe2aac9197dcd9643b30aa618d658f6df417e983a88

Download Submit
memory/1368-938-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-935-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-932-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-933-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-934-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-936-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-937-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-926-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-927-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/1368-928-0x00000224F62F0000-0x00000224F62F1000-memory.dmp

Filesize
4KB

Download
memory/3504-917-0x00007FF9E9AE3000-0x00007FF9E9AE5000-memory.dmp

Filesize
8KB

Download
memory/3504-925-0x00007FF9E9AE0000-0x00007FF9EA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-924-0x00007FF9E9AE3000-0x00007FF9E9AE5000-memory.dmp

Filesize
8KB

Download
memory/3504-918-0x000001F8D7620000-0x000001F8D7638000-memory.dmp

Filesize
96KB

Download
memory/3504-921-0x000001F8F24F0000-0x000001F8F2A18000-memory.dmp

Filesize
5.2MB

Download
memory/3504-920-0x00007FF9E9AE0000-0x00007FF9EA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-919-0x000001F8F1CF0000-0x000001F8F1EB2000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads