Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 00:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK
Resource
win10v2004-20250129-en
General
-
Target
https://mega.nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK
Malware Config
Extracted
discordrat
-
discord_token
MTMzNDk5NzU4NzQyNTc1OTMxMg.GrjXH0.mx9kESWrekuu3qPcINeGceXbQuhLEJ0XCQjipM
-
server_id
1334998315099754599
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 27 IoCs
pid Process 3172 1v1.hack.exe.exe 4852 1v1.hack.exe.exe 1452 1v1.hack.exe.exe 5328 1v1.hack.exe.exe 5436 1v1.hack.exe.exe 5520 1v1.hack.exe.exe 5608 1v1.hack.exe.exe 5724 1v1.hack.exe.exe 5808 1v1.hack.exe.exe 5908 1v1.hack.exe.exe 6000 1v1.hack.exe.exe 6100 1v1.hack.exe.exe 5140 1v1.hack.exe.exe 6156 1v1.hack.exe.exe 6280 1v1.hack.exe.exe 6392 1v1.hack.exe.exe 6496 1v1.hack.exe.exe 6696 1v1.hack.exe.exe 6772 1v1.hack.exe.exe 6856 1v1.hack.exe.exe 6944 1v1.hack.exe.exe 7036 1v1.hack.exe.exe 7128 1v1.hack.exe.exe 6328 1v1.hack.exe.exe 5732 1v1.hack.exe.exe 2140 1v1.hack.exe.exe 6632 1v1.hack.exe.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 70 discord.com 107 discord.com 60 discord.com 69 discord.com 74 discord.com 86 discord.com 100 discord.com 109 discord.com 56 discord.com 57 discord.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 582606.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4532 msedge.exe 4532 msedge.exe 1244 msedge.exe 1244 msedge.exe 396 identity_helper.exe 396 identity_helper.exe 2056 msedge.exe 2056 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: 33 844 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 844 AUDIODG.EXE Token: SeDebugPrivilege 3172 1v1.hack.exe.exe Token: SeDebugPrivilege 1452 1v1.hack.exe.exe Token: SeDebugPrivilege 4852 1v1.hack.exe.exe Token: SeDebugPrivilege 5328 1v1.hack.exe.exe Token: SeDebugPrivilege 5436 1v1.hack.exe.exe Token: SeDebugPrivilege 5520 1v1.hack.exe.exe Token: SeDebugPrivilege 5608 1v1.hack.exe.exe Token: SeDebugPrivilege 5724 1v1.hack.exe.exe Token: SeDebugPrivilege 5808 1v1.hack.exe.exe Token: SeDebugPrivilege 5908 1v1.hack.exe.exe Token: SeDebugPrivilege 6000 1v1.hack.exe.exe Token: SeDebugPrivilege 6100 1v1.hack.exe.exe Token: SeDebugPrivilege 5140 1v1.hack.exe.exe Token: SeDebugPrivilege 6156 1v1.hack.exe.exe Token: SeDebugPrivilege 6280 1v1.hack.exe.exe Token: SeDebugPrivilege 6392 1v1.hack.exe.exe Token: SeDebugPrivilege 6496 1v1.hack.exe.exe Token: SeDebugPrivilege 6696 1v1.hack.exe.exe Token: SeDebugPrivilege 6772 1v1.hack.exe.exe Token: SeDebugPrivilege 6856 1v1.hack.exe.exe Token: SeDebugPrivilege 6944 1v1.hack.exe.exe Token: SeDebugPrivilege 7036 1v1.hack.exe.exe Token: SeDebugPrivilege 7128 1v1.hack.exe.exe Token: SeDebugPrivilege 6328 1v1.hack.exe.exe Token: SeDebugPrivilege 5732 1v1.hack.exe.exe Token: SeDebugPrivilege 2140 1v1.hack.exe.exe Token: SeDebugPrivilege 6632 1v1.hack.exe.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe 1244 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1680 1244 msedge.exe 84 PID 1244 wrote to memory of 1680 1244 msedge.exe 84 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 5020 1244 msedge.exe 85 PID 1244 wrote to memory of 4532 1244 msedge.exe 86 PID 1244 wrote to memory of 4532 1244 msedge.exe 86 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87 PID 1244 wrote to memory of 1152 1244 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/ogImiB7Z#-teyus5hNjArzwn-u_9Adw/file/RppXwSgK1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac38746f8,0x7ffac3874708,0x7ffac38747182⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:82⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5732 /prefetch:82⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5872 /prefetch:82⤵PID:3332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6500 /prefetch:82⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,17082311910413227117,16183898358427229477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5328
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5436
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5520
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5608
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5724
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5808
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5908
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6000
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6100
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6156
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6280
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6392
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6496
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6696
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6772
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6856
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6944
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7036
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7128
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6328
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Users\Admin\Downloads\1v1.hack.exe.exe"C:\Users\Admin\Downloads\1v1.hack.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6632
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2428
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x314 0x30c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59bfb45e464f029b27cd825568bc06765
SHA1a4962b4fd45004732f071e16977522709ab0ce60
SHA256ceb8f1b0aaa1ba575c3704e73fd77edf932d68c8be902b33f1ba3b1d130cd139
SHA512f87cce8bb5489b56027f5a285b948b639a1c7b0f213a111f057235177e5bffc537627c82586736704e398a0185cf2ad8ba8cdee788531fb753a2d08f16e906c7
-
Filesize
152B
MD5ae2a8f2ebc841509f7b978edf590d3cd
SHA191358152e27c0165334913228005540756c35bd3
SHA256631550765e3db02be0709748c0634a2cfdab711cea94f5890854d0c1dfbcb214
SHA512e52180dd175f1e6ff72d76400085869387cd70da33919de219a04dc26871e8421e93b22e7c59125c19c6ee54a8a8f742d796ac68ea9077c9dab5f03b80967d11
-
Filesize
21KB
MD5b1dfa46eee24480e9211c9ef246bbb93
SHA180437c519fac962873a5768f958c1c350766da15
SHA256fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398
SHA51244aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5911fc312873df4f67c181672777ba11c
SHA1f3958ca3efc776b864fbdf2b8b74c8380292a51f
SHA2565072b873f211f874414ed20f06ac4f6958e6acc60df1fdda6997e39643c76c72
SHA5121204db5fd6fb5fab1031d1464f66778b2321003c712b41973fe04d89d16749e8a875073767285334f8539795cc422428bf759d6dd42a9e217ee94de571868740
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
257B
MD5cb2c370608ed5735aec0094cbed1ddbb
SHA18b9da953294d7078e9636c4a122d4c98651bfc17
SHA25601fc00c66b187f3bcf3aa0ab676274ae4629fe537f3e0a50c9c1528e0849d5b6
SHA51287fc267886df91e9602f890fc931ed971f6892106bcc67774c5869f124755389f6016945d099a9966c08a93a1c1110f5d93242efff93a55de02cde39854ac9cf
-
Filesize
6KB
MD523298cd8a179a25e9eebc31f6185270b
SHA18cb16614aae8ae784acae64177b9849eb044c8a0
SHA256814d4ceb31810445bb40d31ae8c3afa3b5471040461353e583f5d2a2fb167fd1
SHA5128fb5c60287e0c210944f7ecd08e8ec89e4563b46d14239b32edae9c266e410f3a99b0fe9f107928fedf1e6ce110a7b051f6fa87c856b3ca9445c1097cd43a19b
-
Filesize
6KB
MD599b3e01965d77e3121405d5561334329
SHA16e59c2fb0a9ef5f5c916d1cc98f7ffba0a91b944
SHA2560d04a9d9fe33731b817e51956c838c864ddf715cca26631d49df7233a6aaf00f
SHA51212783ccbda715e78e0cba3b13122821145a6da2b674073e153c8903ee5c4a6a275a3aee2b1608af07a9899cd6beaf97d51aa936908c2886d310b640d3e67a77e
-
Filesize
6KB
MD5dea71a8ce9684c72b2bd15f808b0004a
SHA16c65ab666ce538a3bcc139a3e9620089a05b91a9
SHA2560d77946527e07e129548197bbddb9afa8a50d3b7278d09adad36294070ae31fd
SHA5124291e90c7031ccfeefb806f4955b2620a5eee1d864b2c53deb4db4e8b499e485ca050fd2c93acfdb9e3f26912610977d32af9b44d70039e73be39d5ecdbe49a0
-
Filesize
7KB
MD5ed5af2b0893330b8e6f0f5cfa91458c6
SHA1d6340aaeebd68fb842925abf041ece78877adeb9
SHA25681fbc26ce9d048eae6bd50b77f47c866d47ae521c0d86e68e17c6888b7d24878
SHA51281c9eec1cfaa2e9511aab4ae23a57cab954df3ce621b880eb5507561ca6a18c4372d82ddb9f43887608818730b356d5bddf6ba958d18d7c5a5468160851d1789
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD59f6cb4a382e9bbc148298b2b1f63f6f3
SHA1df7013285572c6ff4aabfb79a4f7e23b62e5a692
SHA2569b0d2e0c682befff19f0571bcbeb0dabe3916d6136882f0812e6351d5f8e0fc0
SHA51297976828744206060ed55237b80ff600c7f1cc626d757effb3bc7e747dc16734e78ca8db5ed02574efd966b0ba3e9026273b8c61a742a33aa326cd7f144bc2ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f08a.TMP
Filesize48B
MD538f6d44415696c695670bd32a4d44386
SHA1c56e5c8b3163edea11393b3dff240b37265fc186
SHA256824c24d368dcfaeb331bf9a25a39f3d3d8f371ac7166d418d7d6619dddaa2add
SHA51205e2f8cda0cce3e107bba8b045e4a46b367eed97fd021e694b44a01a4fe29fa504dd9bd129c0d22d4fdd5cf4a0fdb30b9983aa4c34725eb20b0b8ddabb721d35
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5035d2ee547d3946f94d4ebc7ffd43bb5
SHA1f6278194593318fdf81ceff4dcd342eabc32f9c6
SHA2567cd09cb403e1de90e2d660624431e1b4da34edecf96b6ee96618879a86358aae
SHA5123335c85e0ec9b6a5fb4a64fd2f5d47c811cc5a003e86f06aa0cde6fc04ed9daa35bef706f16d6aca21d8267c8e928123602df758c93bc1327d6d8185f104cbb3
-
Filesize
11KB
MD5081b093a31adb995d7bfc6322500e7e4
SHA16982fdb1d220a4e6b3a981d8ab236bb60b116e20
SHA25670ce13fcd10251686a46eb02cfc01463eb6ae91739055c681ccd892436f10bec
SHA5122b6c6b7a610e996ea4f81dd6527f78f7ed4d9fa4fcb4e9c5143bd1571bdf0eab80b341ac4d204ae4fc372dfa2b2a32fe2e5f9ab846fb31d5146bea5ea750423d
-
Filesize
11KB
MD53dd23bdb02147b5fecc93d698a53a61b
SHA143ec4bfc0b60847744986812ed39d4700a9109c1
SHA25615663f50a171d6c48b9f9d2657c63c7118167be2fb8be65bd4cdb675e28bdb8f
SHA51290d3f1a67ff2c14107699f1b478a1da1dfd2950c69c62849505325d7d1e2da20e3697f6538947991b2551f04b856d2f475278c465b3f4958d2fc933bf96867b9
-
Filesize
78KB
MD555285c492ce47533e64e80ec267e16fb
SHA102a6efa4787bd3660df4598edfb637659a8d5343
SHA25649cb42e5f881591cd6252da0709c0eb1e2d7c6d581ddf78b6f9bc6554fe4d7e3
SHA51263c7485d091fb3ecab3e80201b9a0c4e5be45127480c9fe2bd3399596656f57479c6a5bc1c296d1b76b9a459f5a94257c5668758b6c54dd85cbf3fadb1e208d0