discordrat | cccf75bb8d71a45d611a20d4b9df9a2be374e6dba127d7253b9bd26547f26940

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

9ecf3ffd585a032ef28539df8ffff5a1
SHA1

a178641c7597f8e4b1009365f315840e6d67d450
SHA256

cccf75bb8d71a45d611a20d4b9df9a2be374e6dba127d7253b9bd26547f26940
SHA512

538ed095b0ff4cb27bab6b69ca3a62df632d9281112b558d41e61f921dab3ed3e74e10542de3b15c080c61c7d72f2c74ff7377419b01284989fab563f5233e35
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+BPIC:5Zv5PDwbjNrmAE+RIC

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNTczNTAxNTkzODMyNjU1OQ.G9yV-B._jUdHx9XSQSo5nyttxH-78hmGvNbNE21hal5Tw
server_id
1215731392072122550

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
18	discord.com
29	discord.com
78	raw.githubusercontent.com
79	raw.githubusercontent.com
82	discord.com
32	discord.com
63	discord.com
66	discord.com
81	discord.com
491	discord.com
494	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{DD6DB530-E282-442E-BF0B-077CEBA46065}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
2892	msedge.exe
2892	msedge.exe
5248	msedge.exe
5248	msedge.exe
5836	identity_helper.exe
5836	identity_helper.exe
5352	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	Client-built.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3120	2892	msedge.exe	105
PID 2892 wrote to memory of 3120	2892	msedge.exe	105
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 2284	2892	msedge.exe	106
PID 2892 wrote to memory of 4908	2892	msedge.exe	107
PID 2892 wrote to memory of 4908	2892	msedge.exe	107
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108
PID 2892 wrote to memory of 2256	2892	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffd573c46f8,0x7ffd573c4708,0x7ffd573c4718
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2212,5025318329675040475,2506950228764778743,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e1d8acc23e6b9fb8e979dfec45ebc80d

SHA1
f7eeda9e26e5cccfaa07b497cc71cdde02c2ecc0

SHA256
533056cf50550cf40ec2f5a2f562b5c5e51f8a34bad358b4bdc07f7c24c6e997

SHA512
d3fe476a0484d748a679a7f0a8617466120d1566d4cba5b0d721a4d6b2c4f68e25e4bf610127255024f39b6e7234983f714e4d02c5f5cb321a5d86033c4ac573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
48KB

MD5
07cf620573c1f9e945100aef36036da5

SHA1
a1d3814db9787223d985f11ed8e07147c32c541e

SHA256
c5f17250a78ae63a8570bba03efb4dff57ccafceb83d2ed52113edd9d6f26611

SHA512
9d9c39160165f12673bf7ce5552f9bd49315b451f1df2d63ad52f415dc250465ad83a7fb40d420ce7e95219d47e8cef0cdc80afada7fa6fbcd6486f0d842f187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7236b1fbbe775e68694562afad41e2a6

SHA1
add5914e7c222cbbaa56b87a13b2184bb4ad6f69

SHA256
ef9f86a394f7e5e7bbb56c7dc0a8514ef5850b80c182a1ac4669e60f4c43d780

SHA512
4cc2bc279e60b837bcf3dac12e2ed9603437efc9e5a8a9818e24b682e8c15940bdf9fd2b9a487222c4d4fd5192053f251009e49ed092026c8de5590062f9c21c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f5497c9a63814941daffa22ef2181340

SHA1
5190dc4c6afaefce2e125a1fc6e662f587817114

SHA256
a12bc8cb64146cfa8ad34ce9e717c1b136ad7a75e8a61c588d9eda7a0ce5dbf2

SHA512
dc2220ae5dae8c42db51de3c6bedcd00da7160235ffb890e6ae5c45368163df68f530722575982f73defc769169330e3f1b0bfdc332e57b4bf89a12a271198d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4181c1734b39c52f4168554f32ec22e3

SHA1
766b9e307210d1dc2d8c988c259e310ccf8ff3be

SHA256
ed5f38198b78b3f017d65beaec6fa14cc93446d11d933658818832fcb2fd5866

SHA512
cf5d77459ccd7d354f43674004b04287c590caba5802939a0b72e2fb0dc7ad98dc766a6d64388fb421ed542699ec05762e273e5e0d51b4ba5b773263dc85954c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbb3dec747c74e74c28927ca9989a6ca

SHA1
1e1328c3f5ce20e1f0cc9e6dcf4776b4692c5249

SHA256
f29dc387e92ee87ebf2ff0d8ac4d11c0df86abf0398ed2f8a483f4062aa7795d

SHA512
b28d04d3d3722a52bf5960d545232faf26d1127b0c83ee76b7d0bcffd4c7bc0aab613a85ac928d13bc8c73b605f06269aecc2a5fc53031bfd12c07af1cc1deaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90229e8bcb95d86dcf90dba418b411cd

SHA1
8b354cb598b976db05498c1cfada86356e17225a

SHA256
0f81851e06520f9fd183d0de00c0914f5c0f8b72013054cf70fb5b6e4d14a12a

SHA512
83ff782df9bd2556db002ad111ac6d85f8e7f89bcaec3012e3d435b3bfe4a27ce8cea61472e701aa13d99c5b39f4cd8b343785cfddedb705ea1ab4bf8e307e7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3f308db7dec267d975abe0daa6407c6c

SHA1
21b03adb104fd073b92928965f55e761cb958eef

SHA256
5cbd99716b3b128ff3694341c223bcac06de82e70527ceebc7a09866c5068489

SHA512
cd8ea01cd8d0a1fb2f2db248a6e6009262f081ea389b39187c7f488c9b665d067d64294aed1161a312c6def70c4d40728b42e2a8f39f61b7cde5b7f6d1527918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4b854dc61a4c4fe8bd9c2f5e9156ca93

SHA1
f7aab57054a8d04f002281f58fc5d1fe4f9669e9

SHA256
4adeb88e9e632b2408d231785cc825a6992a4a94b226f733efd1d1f99fbf3b2b

SHA512
46b1d3ccef16a694176697ea1ecae83bf4b835a2256e61d1ee4e5455ece690e81be293f74cc7eacc433b139fc463ec30c4181fef9f4241f8305e4d2a4aa35a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d374859944d1a37440989d8132821a3c

SHA1
41536c3d37ea94b1be8d88e5cbe74c36f1c1cfc1

SHA256
790da5c6590fac67dd4c6e2da2e5512710414200ff9e114b83eb9477194bb1dc

SHA512
f437b1579e0fa32c7a6eeb63ce23fac07fb30e6a71b22999e7f60c36b0deadc3031048aecf0755c883250ed64efc2046de401fcd3ba6b2f4244cf7bf3dd5c1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
483f68aa1f4d2e751440f0d4fc8ad1d0

SHA1
8f9d555e837752fa0cd8d05107138c2fac96f2f7

SHA256
98609486d956b819ecf181a63caf65d0fd864619601eceaefe7bb25b84fb9816

SHA512
7ed668f32583b159319da99b8c2e34ca1dd11c1663b7d079dc84f0d38c9bd4ae96b06f264d1caf3fc96fc51478115a0a52489854ee46c4f37dd8393a3f6f4298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6a49b6033ba473d782f10a733d7676d7

SHA1
b8add11e1c5f54eb9dd44309d56c0db1fa0c07c0

SHA256
e7d21e1c4b5dd08684fa708d0e9892210d8389459940bcfb3dcf63ab2ddf8821

SHA512
6a8cebcbe94824f194c028c1affc052d78f45b78119547d2a2529ea8d98de46af9d4a9dd8a700c7d16039f9c080423499ad8797440a2fb3631fec811dc606bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
82e75f31e49b8a0843c0f3c6e66de0b7

SHA1
eefda75465d0c5d9b81c80bcddf8761a58bc79b3

SHA256
1270875336b158f26ce12d8b0d6913fee8a82f6d3bd0233f9eb4eb56846a36e6

SHA512
15978c2fb8b75ac47ca759fefa67dfa64667535e33d24bd679fcbe5de5fc4788a28b7af67aec20c234825538453f726a9b67b56694fda3108b6369fc7511c6e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
abd3508a57fbbd494a68bb11ed711212

SHA1
bd4b8a07d4e83e300747976569c2af1cca761947

SHA256
9c666d72ebb514522bd5f9b6584cc7b087ed832533ba573b3cf05fa9a61c54d7

SHA512
af53c42c740401cd19680257c8c2c5a2338cdbc9cd435c42c05f91f02d7387fc3412810206f7a43f9553a29df9d49028a22239dd54a0339d9fc6d6e9a9699e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a4dd3ff3459bba4ce1a6530250eade57

SHA1
9c706c333d6f6fee68daa1e16b4d2c9549e64545

SHA256
ed8c676d057338fc9d5cc415a821f323581337a3211173013d81a9800131f8c9

SHA512
f657f5a9734e5f4d79502976da69ecb8ee28e98baae5b09fd0cb4bf971d2bd55ed28657851ee2f98987a82e794a3fd3d200998bab43c1406e3a716a509a1884d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588b63.TMP

Filesize
538B

MD5
b0fe3024259a0d26137b469533414923

SHA1
6a8fd7983ce288edbe1788e223ca298829b6b304

SHA256
69dca5e5afafe7ef68e2914d6de0948c08ceb118ef5ac511b018d780ce0b4a02

SHA512
2b58232704c881609d86f6632aecd39c59d67f7bca1322c7c530a41cb7473e70ecb0130c6be6974d7aa5a1fa9c84e10e162616e1c5cd99e206ac84539d758612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63ea57ccfaf6c7e9dc57bf0894abaf99

SHA1
f8e91721c6252e5d2515f279492e9863cc144378

SHA256
a5303dab1f87c13d4d8f8a101982977a4e7d6daffc7109a3174663eba416256d

SHA512
1fc819f55d625e8aa47d3bac797e4fa8ac77335c58fd74650f6cc943924390ea0940dca6b9efdd528efd631bd2f5b5274c847592b1d900216e63cd5d3ff1f32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e53b949ba7350a6b0ca9a8d4e0230e89

SHA1
b0de40e8c343e47b981125dfa3c559c246f73556

SHA256
ea3648df02e997d0cd35fc829f0d98db9b7f3dbffbd3e9363c1155b2bee08884

SHA512
1587d279df8635f345bdb750e9489db6f805f9939e6c4fa11fbe225dc17860272fd36fb59f4d536bfcc93e225a0fc309169cb9dd1b53f9cadea1a571e80e4b7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4036-7-0x0000029EECD00000-0x0000029EECD12000-memory.dmp

Filesize
72KB

Download
memory/4036-8-0x0000029EED880000-0x0000029EED89E000-memory.dmp

Filesize
120KB

Download
memory/4036-0-0x0000029EEAFD0000-0x0000029EEAFE8000-memory.dmp

Filesize
96KB

Download
memory/4036-6-0x0000029EEFDA0000-0x0000029EEFE16000-memory.dmp

Filesize
472KB

Download
memory/4036-5-0x00007FFD5FF20000-0x00007FFD609E1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-4-0x0000029EEDEA0000-0x0000029EEE3C8000-memory.dmp

Filesize
5.2MB

Download
memory/4036-3-0x0000029EED960000-0x0000029EED970000-memory.dmp

Filesize
64KB

Download
memory/4036-2-0x00007FFD5FF20000-0x00007FFD609E1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-1148-0x0000029EEDE50000-0x0000029EEDEA0000-memory.dmp

Filesize
320KB

Download
memory/4036-9-0x0000029EED960000-0x0000029EED970000-memory.dmp

Filesize
64KB

Download
memory/4036-1-0x0000029EED5B0000-0x0000029EED772000-memory.dmp

Filesize
1.8MB

Download