discordrat | hxxps://mega[.]nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK

Analysis

max time kernel
55s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNDk5NzU4NzQyNTc1OTMxMg.GrjXH0.mx9kESWrekuu3qPcINeGceXbQuhLEJ0XCQjipM
server_id
1334998315099754599

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 27 IoCs

pid	Process
3172	1v1.hack.exe.exe
4852	1v1.hack.exe.exe
1452	1v1.hack.exe.exe
5328	1v1.hack.exe.exe
5436	1v1.hack.exe.exe
5520	1v1.hack.exe.exe
5608	1v1.hack.exe.exe
5724	1v1.hack.exe.exe
5808	1v1.hack.exe.exe
5908	1v1.hack.exe.exe
6000	1v1.hack.exe.exe
6100	1v1.hack.exe.exe
5140	1v1.hack.exe.exe
6156	1v1.hack.exe.exe
6280	1v1.hack.exe.exe
6392	1v1.hack.exe.exe
6496	1v1.hack.exe.exe
6696	1v1.hack.exe.exe
6772	1v1.hack.exe.exe
6856	1v1.hack.exe.exe
6944	1v1.hack.exe.exe
7036	1v1.hack.exe.exe
7128	1v1.hack.exe.exe
6328	1v1.hack.exe.exe
5732	1v1.hack.exe.exe
2140	1v1.hack.exe.exe
6632	1v1.hack.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
70	discord.com
107	discord.com
60	discord.com
69	discord.com
74	discord.com
86	discord.com
100	discord.com
109	discord.com
56	discord.com
57	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 582606.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
1244	msedge.exe
1244	msedge.exe
396	identity_helper.exe
396	identity_helper.exe
2056	msedge.exe
2056	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: 33	844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	844	AUDIODG.EXE
Token: SeDebugPrivilege	3172	1v1.hack.exe.exe
Token: SeDebugPrivilege	1452	1v1.hack.exe.exe
Token: SeDebugPrivilege	4852	1v1.hack.exe.exe
Token: SeDebugPrivilege	5328	1v1.hack.exe.exe
Token: SeDebugPrivilege	5436	1v1.hack.exe.exe
Token: SeDebugPrivilege	5520	1v1.hack.exe.exe
Token: SeDebugPrivilege	5608	1v1.hack.exe.exe
Token: SeDebugPrivilege	5724	1v1.hack.exe.exe
Token: SeDebugPrivilege	5808	1v1.hack.exe.exe
Token: SeDebugPrivilege	5908	1v1.hack.exe.exe
Token: SeDebugPrivilege	6000	1v1.hack.exe.exe
Token: SeDebugPrivilege	6100	1v1.hack.exe.exe
Token: SeDebugPrivilege	5140	1v1.hack.exe.exe
Token: SeDebugPrivilege	6156	1v1.hack.exe.exe
Token: SeDebugPrivilege	6280	1v1.hack.exe.exe
Token: SeDebugPrivilege	6392	1v1.hack.exe.exe
Token: SeDebugPrivilege	6496	1v1.hack.exe.exe
Token: SeDebugPrivilege	6696	1v1.hack.exe.exe
Token: SeDebugPrivilege	6772	1v1.hack.exe.exe
Token: SeDebugPrivilege	6856	1v1.hack.exe.exe
Token: SeDebugPrivilege	6944	1v1.hack.exe.exe
Token: SeDebugPrivilege	7036	1v1.hack.exe.exe
Token: SeDebugPrivilege	7128	1v1.hack.exe.exe
Token: SeDebugPrivilege	6328	1v1.hack.exe.exe
Token: SeDebugPrivilege	5732	1v1.hack.exe.exe
Token: SeDebugPrivilege	2140	1v1.hack.exe.exe
Token: SeDebugPrivilege	6632	1v1.hack.exe.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1680	1244	msedge.exe	84
PID 1244 wrote to memory of 1680	1244	msedge.exe	84
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 5020	1244	msedge.exe	85
PID 1244 wrote to memory of 4532	1244	msedge.exe	86
PID 1244 wrote to memory of 4532	1244	msedge.exe	86
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87
PID 1244 wrote to memory of 1152	1244	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac38746f8,0x7ffac3874708,0x7ffac3874718
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5436
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5608
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5724
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5808
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5908
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6000
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6100
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5140
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6156
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6280
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6392
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6496
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6696
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6772
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6856
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6944
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7036
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7128
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6328
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5732
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Users\Admin\Downloads\1v1.hack.exe.exe
  "C:\Users\Admin\Downloads\1v1.hack.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x30c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9bfb45e464f029b27cd825568bc06765

SHA1
a4962b4fd45004732f071e16977522709ab0ce60

SHA256
ceb8f1b0aaa1ba575c3704e73fd77edf932d68c8be902b33f1ba3b1d130cd139

SHA512
f87cce8bb5489b56027f5a285b948b639a1c7b0f213a111f057235177e5bffc537627c82586736704e398a0185cf2ad8ba8cdee788531fb753a2d08f16e906c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae2a8f2ebc841509f7b978edf590d3cd

SHA1
91358152e27c0165334913228005540756c35bd3

SHA256
631550765e3db02be0709748c0634a2cfdab711cea94f5890854d0c1dfbcb214

SHA512
e52180dd175f1e6ff72d76400085869387cd70da33919de219a04dc26871e8421e93b22e7c59125c19c6ee54a8a8f742d796ac68ea9077c9dab5f03b80967d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
911fc312873df4f67c181672777ba11c

SHA1
f3958ca3efc776b864fbdf2b8b74c8380292a51f

SHA256
5072b873f211f874414ed20f06ac4f6958e6acc60df1fdda6997e39643c76c72

SHA512
1204db5fd6fb5fab1031d1464f66778b2321003c712b41973fe04d89d16749e8a875073767285334f8539795cc422428bf759d6dd42a9e217ee94de571868740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
cb2c370608ed5735aec0094cbed1ddbb

SHA1
8b9da953294d7078e9636c4a122d4c98651bfc17

SHA256
01fc00c66b187f3bcf3aa0ab676274ae4629fe537f3e0a50c9c1528e0849d5b6

SHA512
87fc267886df91e9602f890fc931ed971f6892106bcc67774c5869f124755389f6016945d099a9966c08a93a1c1110f5d93242efff93a55de02cde39854ac9cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23298cd8a179a25e9eebc31f6185270b

SHA1
8cb16614aae8ae784acae64177b9849eb044c8a0

SHA256
814d4ceb31810445bb40d31ae8c3afa3b5471040461353e583f5d2a2fb167fd1

SHA512
8fb5c60287e0c210944f7ecd08e8ec89e4563b46d14239b32edae9c266e410f3a99b0fe9f107928fedf1e6ce110a7b051f6fa87c856b3ca9445c1097cd43a19b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99b3e01965d77e3121405d5561334329

SHA1
6e59c2fb0a9ef5f5c916d1cc98f7ffba0a91b944

SHA256
0d04a9d9fe33731b817e51956c838c864ddf715cca26631d49df7233a6aaf00f

SHA512
12783ccbda715e78e0cba3b13122821145a6da2b674073e153c8903ee5c4a6a275a3aee2b1608af07a9899cd6beaf97d51aa936908c2886d310b640d3e67a77e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dea71a8ce9684c72b2bd15f808b0004a

SHA1
6c65ab666ce538a3bcc139a3e9620089a05b91a9

SHA256
0d77946527e07e129548197bbddb9afa8a50d3b7278d09adad36294070ae31fd

SHA512
4291e90c7031ccfeefb806f4955b2620a5eee1d864b2c53deb4db4e8b499e485ca050fd2c93acfdb9e3f26912610977d32af9b44d70039e73be39d5ecdbe49a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ed5af2b0893330b8e6f0f5cfa91458c6

SHA1
d6340aaeebd68fb842925abf041ece78877adeb9

SHA256
81fbc26ce9d048eae6bd50b77f47c866d47ae521c0d86e68e17c6888b7d24878

SHA512
81c9eec1cfaa2e9511aab4ae23a57cab954df3ce621b880eb5507561ca6a18c4372d82ddb9f43887608818730b356d5bddf6ba958d18d7c5a5468160851d1789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9f6cb4a382e9bbc148298b2b1f63f6f3

SHA1
df7013285572c6ff4aabfb79a4f7e23b62e5a692

SHA256
9b0d2e0c682befff19f0571bcbeb0dabe3916d6136882f0812e6351d5f8e0fc0

SHA512
97976828744206060ed55237b80ff600c7f1cc626d757effb3bc7e747dc16734e78ca8db5ed02574efd966b0ba3e9026273b8c61a742a33aa326cd7f144bc2ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f08a.TMP

Filesize
48B

MD5
38f6d44415696c695670bd32a4d44386

SHA1
c56e5c8b3163edea11393b3dff240b37265fc186

SHA256
824c24d368dcfaeb331bf9a25a39f3d3d8f371ac7166d418d7d6619dddaa2add

SHA512
05e2f8cda0cce3e107bba8b045e4a46b367eed97fd021e694b44a01a4fe29fa504dd9bd129c0d22d4fdd5cf4a0fdb30b9983aa4c34725eb20b0b8ddabb721d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
035d2ee547d3946f94d4ebc7ffd43bb5

SHA1
f6278194593318fdf81ceff4dcd342eabc32f9c6

SHA256
7cd09cb403e1de90e2d660624431e1b4da34edecf96b6ee96618879a86358aae

SHA512
3335c85e0ec9b6a5fb4a64fd2f5d47c811cc5a003e86f06aa0cde6fc04ed9daa35bef706f16d6aca21d8267c8e928123602df758c93bc1327d6d8185f104cbb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
081b093a31adb995d7bfc6322500e7e4

SHA1
6982fdb1d220a4e6b3a981d8ab236bb60b116e20

SHA256
70ce13fcd10251686a46eb02cfc01463eb6ae91739055c681ccd892436f10bec

SHA512
2b6c6b7a610e996ea4f81dd6527f78f7ed4d9fa4fcb4e9c5143bd1571bdf0eab80b341ac4d204ae4fc372dfa2b2a32fe2e5f9ab846fb31d5146bea5ea750423d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3dd23bdb02147b5fecc93d698a53a61b

SHA1
43ec4bfc0b60847744986812ed39d4700a9109c1

SHA256
15663f50a171d6c48b9f9d2657c63c7118167be2fb8be65bd4cdb675e28bdb8f

SHA512
90d3f1a67ff2c14107699f1b478a1da1dfd2950c69c62849505325d7d1e2da20e3697f6538947991b2551f04b856d2f475278c465b3f4958d2fc933bf96867b9

Download Submit
C:\Users\Admin\Downloads\1v1.hack.exe.exe

Filesize
78KB

MD5
55285c492ce47533e64e80ec267e16fb

SHA1
02a6efa4787bd3660df4598edfb637659a8d5343

SHA256
49cb42e5f881591cd6252da0709c0eb1e2d7c6d581ddf78b6f9bc6554fe4d7e3

SHA512
63c7485d091fb3ecab3e80201b9a0c4e5be45127480c9fe2bd3399596656f57479c6a5bc1c296d1b76b9a459f5a94257c5668758b6c54dd85cbf3fadb1e208d0

Download Submit
memory/3172-227-0x000002C0ACB70000-0x000002C0AD098000-memory.dmp

Filesize
5.2MB

Download
memory/3172-226-0x000002C0AB6F0000-0x000002C0AB8B2000-memory.dmp

Filesize
1.8MB

Download
memory/3172-225-0x000002C091090000-0x000002C0910A8000-memory.dmp

Filesize
96KB

Download