discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1221895306933833802/1221914989120458845/Client-built[.]rar?ex=66145003&is=6601db03&hm=24212dc7c96b732376241577ae870f3f6f7b9f236eae7b76935274d9191d84ad&

Analysis

max time kernel
359s
max time network
363s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1221895306933833802/1221914989120458845/Client-built.rar?ex=66145003&is=6601db03&hm=24212dc7c96b732376241577ae870f3f6f7b9f236eae7b76935274d9191d84ad&

Score

10^/10

discordrat evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyMTkxMzUyNTI5MTg0MzY4NQ.GEtd5_.rb7YDE3upMpw8BvRznWpPabhFHSx5LUwoSbtkA
server_id
1221895306120265778

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4652 created 624	4652	Client-built.exe	5

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4652	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

flow	ioc
554	discord.com
562	raw.githubusercontent.com
199	discord.com
549	discord.com
225	discord.com
542	discord.com
548	discord.com
192	discord.com
193	discord.com
298	discord.com
329	discord.com
490	discord.com
550	discord.com
561	raw.githubusercontent.com
563	discord.com
228	discord.com
295	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 5036	4652	Client-built.exe	163

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_6000_1024018070\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_75_4_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping6000_708983183\_locales\ne\messages.json	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{7A98AB7F-F225-4F43-9CB2-5EFD82BB611D}	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
6000	msedge.exe
6000	msedge.exe
4652	Client-built.exe
4652	Client-built.exe
5796	msedge.exe
5796	msedge.exe
4652	Client-built.exe
5036	dllhost.exe
5036	dllhost.exe
5036	dllhost.exe
5036	dllhost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2684	7zG.exe
Token: 35	2684	7zG.exe
Token: SeSecurityPrivilege	2684	7zG.exe
Token: SeSecurityPrivilege	2684	7zG.exe
Token: SeDebugPrivilege	4652	Client-built.exe
Token: SeDebugPrivilege	4652	Client-built.exe
Token: SeManageVolumePrivilege	4596	svchost.exe
Token: 33	3992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3992	AUDIODG.EXE
Token: SeDebugPrivilege	4652	Client-built.exe
Token: SeDebugPrivilege	5036	dllhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2684	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6000 wrote to memory of 6040	6000	msedge.exe	119
PID 6000 wrote to memory of 6040	6000	msedge.exe	119
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 1684	6000	msedge.exe	120
PID 6000 wrote to memory of 3096	6000	msedge.exe	121
PID 6000 wrote to memory of 3096	6000	msedge.exe	121
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122
PID 6000 wrote to memory of 1404	6000	msedge.exe	122

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{af0f4053-7e12-4274-99c8-19fd3c52ec05}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1221895306933833802/1221914989120458845/Client-built.rar?ex=66145003&is=6601db03&hm=24212dc7c96b732376241577ae870f3f6f7b9f236eae7b76935274d9191d84ad&
1⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4568 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4576 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5772 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6052 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6184 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6408 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6660 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=4160 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:1
1⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x234,0x294,0x7ffb66122e98,0x7ffb66122ea4,0x7ffb66122eb0
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2204 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2712 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2708 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4316 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4316 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4580 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4712 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4716 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4720 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4796 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=760 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2208,i,2658879608241691795,5875761467243991725,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1940

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Client-built\" -spe -an -ai#7zMap6122:86:7zEvent7303
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2684

C:\Users\Admin\Downloads\Client-built\Client-built.exe
"C:\Users\Admin\Downloads\Client-built\Client-built.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1564

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x450
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
1c063b2289663d8596506bbbd54cee54

SHA1
b0d052b9aac15105e92decf691b61f64e09e8d4c

SHA256
2222b78abd0723bade60e9e0a9d4938fa2819144c61a656164dc1d1154c37015

SHA512
3ea9bddf3419b0ea8e50d3fb4270b6b384c33e10bf3661af7918beed95d94ece68899e03ccfe7c15f38349e5b7849bf0d6232d75e9231af17f2d7e09c18c341e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0c96b3e6f436c0050aa932c3faa8f3b4

SHA1
88555c51ff78adf33908bbe2bcd629e169523f1e

SHA256
43e4cec467d188d29acc98b1ddf2ce2430d8b7da440be7df0ef1afd5c9373845

SHA512
b0e4c5c4efe40dbfe3fdccd39c187e08646aed69de0d452ec29f929e950af5b886b704d661ba908d79f7098dafe3aacc118191a27f4e66f6227ef7f51024ac43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e3ca8936d15b3776ba3e2189905b2ac6

SHA1
af8ee962f329567a464c5180f23ff2a9510bb0bd

SHA256
29a02bce606fa81f51ae55013f88bf9f8216f7780ec8162bbaf539da41c581d6

SHA512
bd0d7b96ae62126b40e5a54ec7986f384b646c343767a1497d6e7b90f143cc676e9c97cf96f20c091876dcee659399329f3ffe2d875214f452e1cbe7edc4c9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
7732af780db1fac9016e254a58a82063

SHA1
504fe3e5c653d6480619ba5c2cac329659751cf0

SHA256
236522bb53e6931dc9408d383075ee8d8fefc8198208a9dc73e5a88889848ae6

SHA512
2eef818172c30e2e3b07d6580a89c17e6658876a65a39d088bf6ac58b6f74a8b4c36680accda74b89fb16b6e7017ea3b54fb0cdb0585ac00a17f563ce31d4a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
3273b04cabeca636208fbaa1b8dc1d54

SHA1
c3d5813003a56c52d3d8d50aa21e4f0336c118ef

SHA256
78f06264d6fbc7532db155b892496f6f39a1435c5c3ae02de79abfc8432aee4b

SHA512
899885ca1824731f0abada0c65a488ecbf53c55da109977a41cdf44c8148d3df987a83384a55328793efb27f119cb63d30877d051b757d16180ef80aac4c50d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
65KB

MD5
b8ba3c274d7da689729ccd477c02e8e2

SHA1
9f6a939a193d32ce7919a09a718bf57c780b9fdf

SHA256
50aa4b866f495809ca61307cbacc43eb213654839ab7e7b9083f8f0c2ae0fbae

SHA512
f372c50e9fdb4bee300be51d5846341bb2c76e8d3a1ec857eb32afb2f7b697218a8d5e9b500c8ebbec914607894306268f7ee4aae98f91b8708c2d23f1f82b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
97aa46b7638e9c4a3fc0245f43c31065

SHA1
c69a41804a1d29b9846ec1958e251e317eaa6d06

SHA256
3962d512c84ffa0268e12cd793ea12b61a281302ff0fc14160423260d126fb07

SHA512
1a2accaa96af11fa8e5aa751a694af66797c72de0ca602db69dd6034905cd91f27f418783bb4c670e97d1699f0fc99af0c21e01898c41e47102776aca8f97001

Download Submit
C:\Users\Admin\AppData\Local\Temp\35e89ec0-69e9-45d7-99dd-a53d1addf22f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\Downloads\Client-built\Client-built.exe

Filesize
78KB

MD5
6c0def2fa807c96b64833f6f9372cacd

SHA1
3a02b8bb4426a979d1946fe601700a8afb920e05

SHA256
493cee2ab73ae407d1f4b68ebefc960d5b8a4941de451f3dfb6de820d35c8b7c

SHA512
893826eba777279ae09344a50d532f38047d42419f7dae1badf9a0ef3996feef163d5091bb1b17641929cf859853dd0b5ef0ef9d8f9a1f68a3245c5affe62697

Download Submit
memory/336-557-0x000001E876500000-0x000001E87652A000-memory.dmp

Filesize
168KB

Download
memory/336-547-0x000001E876500000-0x000001E87652A000-memory.dmp

Filesize
168KB

Download
memory/624-535-0x000002034BCA0000-0x000002034BCC3000-memory.dmp

Filesize
140KB

Download
memory/624-540-0x000002034BCD0000-0x000002034BCFA000-memory.dmp

Filesize
168KB

Download
memory/624-537-0x000002034BCD0000-0x000002034BCFA000-memory.dmp

Filesize
168KB

Download
memory/624-548-0x00007FFB8EF4F000-0x00007FFB8EF50000-memory.dmp

Filesize
4KB

Download
memory/624-543-0x00007FFB8EF4D000-0x00007FFB8EF4E000-memory.dmp

Filesize
4KB

Download
memory/692-539-0x00000259CD300000-0x00000259CD32A000-memory.dmp

Filesize
168KB

Download
memory/692-550-0x00000259CD300000-0x00000259CD32A000-memory.dmp

Filesize
168KB

Download
memory/692-554-0x00007FFB8EF4D000-0x00007FFB8EF4E000-memory.dmp

Filesize
4KB

Download
memory/692-542-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

Filesize
64KB

Download
memory/748-553-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

Filesize
64KB

Download
memory/748-561-0x0000019018B90000-0x0000019018BBA000-memory.dmp

Filesize
168KB

Download
memory/748-552-0x0000019018B90000-0x0000019018BBA000-memory.dmp

Filesize
168KB

Download
memory/972-549-0x00007FFB4EF30000-0x00007FFB4EF40000-memory.dmp

Filesize
64KB

Download
memory/972-544-0x000001BC7F0D0000-0x000001BC7F0FA000-memory.dmp

Filesize
168KB

Download
memory/972-556-0x000001BC7F0D0000-0x000001BC7F0FA000-memory.dmp

Filesize
168KB

Download
memory/972-558-0x00007FFB8EF4C000-0x00007FFB8EF4D000-memory.dmp

Filesize
4KB

Download
memory/1020-563-0x000001CBA0160000-0x000001CBA018A000-memory.dmp

Filesize
168KB

Download
memory/1108-566-0x000002725F5C0000-0x000002725F5EA000-memory.dmp

Filesize
168KB

Download
memory/1116-573-0x000002A117CF0000-0x000002A117D1A000-memory.dmp

Filesize
168KB

Download
memory/1124-577-0x000001CDF70E0000-0x000001CDF710A000-memory.dmp

Filesize
168KB

Download
memory/1208-581-0x00000225AE5C0000-0x00000225AE5EA000-memory.dmp

Filesize
168KB

Download
memory/4596-484-0x000002284D9A0000-0x000002284D9B0000-memory.dmp

Filesize
64KB

Download
memory/4596-468-0x000002284D8A0000-0x000002284D8B0000-memory.dmp

Filesize
64KB

Download
memory/4596-500-0x0000022855D10000-0x0000022855D11000-memory.dmp

Filesize
4KB

Download
memory/4596-502-0x0000022855D40000-0x0000022855D41000-memory.dmp

Filesize
4KB

Download
memory/4596-503-0x0000022855D40000-0x0000022855D41000-memory.dmp

Filesize
4KB

Download
memory/4596-504-0x0000022855E50000-0x0000022855E51000-memory.dmp

Filesize
4KB

Download
memory/4652-409-0x000001BEB2300000-0x000001BEB2828000-memory.dmp

Filesize
5.2MB

Download
memory/4652-505-0x000001BEB1E80000-0x000001BEB1F2A000-memory.dmp

Filesize
680KB

Download
memory/4652-405-0x000001BE97480000-0x000001BE97498000-memory.dmp

Filesize
96KB

Download
memory/4652-406-0x000001BEB1B00000-0x000001BEB1CC2000-memory.dmp

Filesize
1.8MB

Download
memory/4652-407-0x00007FFB6C1D0000-0x00007FFB6CC91000-memory.dmp

Filesize
10.8MB

Download
memory/4652-408-0x000001BE97840000-0x000001BE97850000-memory.dmp

Filesize
64KB

Download
memory/4652-422-0x00007FFB6C1D0000-0x00007FFB6CC91000-memory.dmp

Filesize
10.8MB

Download
memory/4652-423-0x000001BE97840000-0x000001BE97850000-memory.dmp

Filesize
64KB

Download
memory/4652-526-0x00007FFB8DE40000-0x00007FFB8DEFE000-memory.dmp

Filesize
760KB

Download
memory/4652-525-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/4652-524-0x000001BEB1E10000-0x000001BEB1E4E000-memory.dmp

Filesize
248KB

Download
memory/4652-512-0x000001BE97840000-0x000001BE97850000-memory.dmp

Filesize
64KB

Download
memory/4652-506-0x000001BE97840000-0x000001BE97850000-memory.dmp

Filesize
64KB

Download
memory/5036-533-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5036-527-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5036-529-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5036-528-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5036-531-0x00007FFB8EEB0000-0x00007FFB8F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5036-530-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5036-532-0x00007FFB8DE40000-0x00007FFB8DEFE000-memory.dmp

Filesize
760KB

Download