discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/tag/2[.]0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133534237106115384"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4428	msedge.exe
4428	msedge.exe
3744	msedge.exe
3744	msedge.exe
1368	identity_helper.exe
1368	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
2716	builder.exe
4308	chrome.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3796	4308	chrome.exe	41
PID 4308 wrote to memory of 3796	4308	chrome.exe	41
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 3620	4308	chrome.exe	90
PID 4308 wrote to memory of 4228	4308	chrome.exe	91
PID 4308 wrote to memory of 4228	4308	chrome.exe	91
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92
PID 4308 wrote to memory of 1636	4308	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff18fb9758,0x7fff18fb9768,0x7fff18fb9778
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1716 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2696 --field-trial-handle=1868,i,14515027768849831536,12031576465922639234,131072 /prefetch:1
  2⤵
  PID:3652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\builder.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\builder.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2716

C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_release.zip\Release\Discord rat.exe"
1⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff20fd46f8,0x7fff20fd4708,0x7fff20fd4718
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,11102478088813139252,16023358904404357602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
75191acfe7bedcc4271742c177c29c7e

SHA1
e0b2abbd70698268ad9934ec64b885255534ddc2

SHA256
90b68958504aebe46cf7ca5ccfe5162631508bdea8d34e572b5d4320a6351372

SHA512
84aa558ca3500ebaab294e7d34b60bccc3dffe60d91e42d788422d7b4c9cad935260a6678626c7e41782d2ff8a2797a5031762413b0c896af294c4eadafc0f8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c0b3a95080a7a662aed2b4eb998323aa

SHA1
8f6444e6641be2752bdb4567bdb2ba97a9a43a54

SHA256
be76acb26f35b9b182698d724d91115f8d33650ef466619b7327e3ed399d40c9

SHA512
b6b66123427679ce6bed4a919fd712ad9a5425044d5c6861902491dc2ab52e2ae7cbb8e0e51707b712ab947b995656b7b1192d9036c7425be1e5462b08ad2653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
406a5479ccfb10b82423ec286a4c41f0

SHA1
333395a91c65083df8e5e982afa3c0f2d490ce0d

SHA256
850cf9245b24ef0f7d1aa74fc08bfde14aaf209b1c930affca3910b996515143

SHA512
75ddab5172ffc876364b341d6e9beb6f945ad3bc56634016fd3e8b43dedf668c16beac0a8daf830ba93d2e8d3d68dfe84ef1be8ff9cf5cd5fecd512aa42d9430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
964786b97dcecb4f45d695ee07cc580c

SHA1
265efe9f7acebe94aeecfa13369042efe4bdd442

SHA256
f1edef09458924fdcfd0b24ea6ddf048cb4845bdfb198b3d655aed31c41ce9c1

SHA512
ea0c6d4f335713d39d1a095ef0894297d8c40aa2b56ae86191d71df7d5a3564cdc00aaf33280f67c52ac527cc1e6cbb517725f072eb34a91ce96eb619bd6be1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cc85e527efba7a8bf21e016e3f564f29

SHA1
3f40d68cd3e5957f9fd1b8832b0511e4c9ff4f4c

SHA256
b196b5be72c7bae16f860678823fe59f5870d8f7c4f791e2f8a34c3c7de90189

SHA512
c04c5195905682510dfbf3813d31162759bb2f929b19d0494ad70419aa56a61f1a9204f6990bdc4dacfff37fbe2b9a3575c71376a9d8efe5860cc6a72f5d0909

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
21fdeb109cc3c11a70715ec357802d4f

SHA1
966eb6ae90483fb40c765c774029b304ce864c55

SHA256
344c534ac4fff099bd46f00418ece0fd56635352dc28ca98e1e7e8ecee192b8a

SHA512
586a22754737345841b4ecec92022646f61e6ebb8822f26e59b172eab79bc1b9cbd9bd4202343be327dc7def3ecf9dfd651184227513633e7869b7942c6bade6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fb5925a511a3ee1c90bd5a777ae4e75c

SHA1
d7efca4004b5088c2bf1ade5ba1f27cc8d805535

SHA256
37b3ad52a024dc4c4654aaf08229060a20ecac7136e274e65d7a61aee7b47654

SHA512
e7d41de5f937d2ee0d5a8c82a8e07778db5afa2e9fc75bf7976c31672d6139a901eb2c9577bf53cba30d5a16d5065b06729d83793634d2ff0e77381733260f76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7071be182fa3338935a4735b77efa34b

SHA1
b79846f32b30da9807be0d02e9621ea08b4576c0

SHA256
aeafe7b5d0f6b10706834fc8a460737b1417cb43a24cb2107804a54c3024faa9

SHA512
5060f93308a40c0c511ad9292ffd248d0dd3b3190b05072364ebaaf20995552345abcc98f65d3dec82bd3de7d79e1b79869dab8f73845266e9b4217a5b73c98a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
126c860a48141e3c0b31cc2ab9f3e93f

SHA1
d6a317c942fca77b6ad1b5293c1794fdb1da4315

SHA256
ee04f26ff5f32828b9700b527ea0ff3ba2a14bf992545eb55832d032a1622930

SHA512
bd2359866531de1650c8cae26e122aff5f62c962b4ad2102f64fbcc7a963b667066ae39632aa75a10c3597781360c0e161111bc7a6fcbe1453fc3a268faae810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
562eac0f3c4773d8214028e7e4e22c7b

SHA1
ac0bf4a63b2036d9c715acd9e4f97cbdddc2789c

SHA256
6e02337db34d95b8c37f9b8cca481eb172e5baf544a8607b0c39a899c7037bde

SHA512
9051c3071c086a51085ac4eccf7b41348721939c46cf5e1b1ec348722af52d220774a475b03f116a406cba54c99010351e7321a6b22300c0b66960d1e87ef034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b734d34376fad3035ab4620aa83187fc

SHA1
1e8969378c56a3a034b8f0cf69d2f20caa6324a9

SHA256
d7240c217c62bfa405ff6a3486fcbace98ff5603256238052585b765150f3185

SHA512
74be8998776419d3c02681705a34b97343a3c637c969b7888d1f867ca072f97dddc2b6d18d2b8e1631ddeb1018f7b754c20cc5b8519b7eb51830e9d925b612a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8ebaf5b3761944f5e2928f72f38cd4a6

SHA1
e76065f9589db2bd58ee40af038da22d319eb91c

SHA256
bf317db6b24406c82b9624a0faba44914d06e85d8ccbdf9cfc9ff7089c5baeaa

SHA512
7623a8d29f4d813d6ae0623233c18a86bd0b01017bb010a2ce30571603d8523d20123e3b68f3a9ca99666cdca6ce28558832da7eb484a7b6aa1a03030b356877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f957c030c7441cab54b13f52fc9527a3

SHA1
d5eea8b8c36be19193fc98ff36b6398144152770

SHA256
ceaba201bb30b81d660a7c30600b4a797938894bb8b27cc0fb4e6d901a20fdc1

SHA512
994d7fb5895396bd561dce408696c7e4cee77b0ae89d2812e112e7efe316d1cfd4b5f4e189a98ea2aece23c23a30748336710050409ae0dd4245cbc8576811d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
d598b2ab55c159c29ef9958cf0dd1784

SHA1
33824774645df71611e8bbea3266b6868ff11d96

SHA256
b58318d73c7b52ef4320b9560d0e978690ae908b9680afd8ca882ec9df01f101

SHA512
681fe631d229613653b9157d0b3d08a0a0ebd8b4cfb401ac1f762f8c63a2e622b09f195c01b56016be029ed7aff4e4a71106b372b589730224365a7333817638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
9e51a4b1133c3ae7741bfdb217177be9

SHA1
d7501218e1d25f70066f7cb4f5ea1e422be9b7d1

SHA256
4378632e81e3454edf88fc64f3f78b47909215e552a3b4a44940083f57077d96

SHA512
6252b064866d7fd72af41eaed0d499f13e8fa707d02b59569b88c57b907b97c18223058d9e32a9a1194924b8186a08afde9d3a02ca8ff210b2bf8171055d68a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ccf8b7b618672b2da2775b890d06c7af

SHA1
83717bc0ff28b8775a1360ef02882be22e4a5263

SHA256
ef08e2971a9ba903c9b91412275b39aabfd6d4aa5c46ade37d74ff86f0285420

SHA512
eb550889db8c4c0e7d79b2bd85c7d0e61b696df10ce3d76c48ab21b935c7ecc7b12403a00d6570e7d8e4121f72747242c2358f8f0823f804e704bd44ed603b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
91746379e314b064719e43e3422d0388

SHA1
65f1a2b5a93922d589142a6edf99b5b35d986dba

SHA256
0b3cf8ae20afd84c9bf06546e876c84922cb5800526df72a628479f4d5487df7

SHA512
a783d8d9613cf92020fc36fd27d384dbd4e105a1ebd02c4507bf7263e61ff5b377e6d1734b066700782fa64bcbeb11af31ac3972d404625cbdb587cfa3bc0808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9db6a45e-9123-4c8d-aabc-5d6b09d9d111.tmp

Filesize
6KB

MD5
6803cd8a59f2d65d09314e8a8adb23db

SHA1
48541556570178bd4cac11de32239d489402e947

SHA256
533ab40512946b8c752ea5cfb230b9f66b3fbe0174ef13d7ddbdfcc8604500fc

SHA512
1f23904ee8cf920e3a672a0ebc67b036e3e12b1080fa2114a7766ee74747b36466665bcd846ac92033f0e721857cb7b83b8b6978de209e34027743a484a6537d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93f3d0bdaeaf0d556e1698d287ca44c3

SHA1
fff7e2bab3dfdc971256b7ff24a3dac724646014

SHA256
a26a579abcc8b2a43f7c4754ce3fb015793d0de070faa43831c68c2c245dec68

SHA512
0e4e204cff5017bd1811158f64bd78063f661c981638b1eefaa3f02c06e9ffc825dada0b485674a8beb152bb3c54609895e6ce55099a1b74596df1b8a0de49e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
971c71b401631cd251443efe515dd088

SHA1
c78dac08682578a1597c740de670ca0bf0b62d7a

SHA256
5e4d51ebb9db076839b9b922c6aac2dc2d40d7cbaf48d708cd0f1bddfe10f73d

SHA512
9296c30ba53f5edc18ef3cb56a3d9a1db6911add4ae6bcb8ae6a669a6951d8074b696d6d40a8170b0ab14c151bbf4b248f2acbca3017c8a477ddbd0e0ca2f993

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
memory/2716-170-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/2716-175-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/2716-176-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2716-171-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/2716-178-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/2716-172-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/2716-173-0x00000000058E0000-0x0000000005972000-memory.dmp

Filesize
584KB

Download
memory/2716-174-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/3648-325-0x0000018847080000-0x0000018847242000-memory.dmp

Filesize
1.8MB

Download
memory/3648-330-0x0000018847420000-0x0000018847430000-memory.dmp

Filesize
64KB

Download
memory/3648-329-0x00007FFF09430000-0x00007FFF09EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-328-0x0000018847960000-0x0000018847E88000-memory.dmp

Filesize
5.2MB

Download
memory/3648-326-0x00007FFF09430000-0x00007FFF09EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-327-0x0000018847420000-0x0000018847430000-memory.dmp

Filesize
64KB

Download
memory/3648-324-0x000001882CA40000-0x000001882CA58000-memory.dmp

Filesize
96KB

Download