Analysis
-
max time kernel
279s -
max time network
262s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 00:50
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240412-en
Errors
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
7c16d8d9eca7c5ea3c0919afce4a42a8
-
SHA1
db2d93ddef2d96fc687b11830781c54d549b7d3c
-
SHA256
52ab6102c24d59bcc88d6d5311e8f7404e69b17233ba995bbd162326782ac412
-
SHA512
4dd267a609ee31405d0353186ac2588afe760c401fe43d8958fa6c7a9ecbb65665ee120876f49a6760de1cd703791516f9ff7362a8355ac1b53f002a2af80312
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC
Malware Config
Extracted
discordrat
-
discord_token
MTIyNzU5OTczMjkwMjMzMDM3OQ.GGJ-EF.ITvPrvNzJvdqzhVFGBeM8xjGUkZMvbKmCPGwDw
-
server_id
1221811060135170099
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1848 created 632 1848 Client-built.exe 5 -
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs
flow ioc 61 discord.com 69 raw.githubusercontent.com 200 raw.githubusercontent.com 202 discord.com 53 discord.com 68 raw.githubusercontent.com 70 discord.com 138 discord.com 203 discord.com 208 discord.com 15 discord.com 54 discord.com 71 discord.com 73 discord.com 74 discord.com 207 raw.githubusercontent.com 14 discord.com 60 discord.com 139 discord.com 140 discord.com 28 discord.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1848 set thread context of 4260 1848 Client-built.exe 126 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{AE153510-97CF-4E5C-8ACB-D6E4EF682F6B} msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3940 vlc.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4692 msedge.exe 4692 msedge.exe 5100 msedge.exe 5100 msedge.exe 4248 identity_helper.exe 4248 identity_helper.exe 4992 msedge.exe 4992 msedge.exe 1848 Client-built.exe 4260 dllhost.exe 4260 dllhost.exe 4260 dllhost.exe 4260 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3940 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1848 Client-built.exe Token: 33 4656 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4656 AUDIODG.EXE Token: SeDebugPrivilege 1848 Client-built.exe Token: SeDebugPrivilege 4260 dllhost.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe 3940 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3940 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 5100 1848 Client-built.exe 96 PID 1848 wrote to memory of 5100 1848 Client-built.exe 96 PID 5100 wrote to memory of 2220 5100 msedge.exe 97 PID 5100 wrote to memory of 2220 5100 msedge.exe 97 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 8 5100 msedge.exe 98 PID 5100 wrote to memory of 4692 5100 msedge.exe 99 PID 5100 wrote to memory of 4692 5100 msedge.exe 99 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100 PID 5100 wrote to memory of 1308 5100 msedge.exe 100
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:468
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1da91a2c-486c-47a3-934f-ce95a472429e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1380
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:4676
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1840
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exeC:\Users\Admin\AppData\Local\Temp\Client-built.exe cmd start Client_built.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaf4e46f8,0x7ffcaf4e4708,0x7ffcaf4e47183⤵PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:83⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵PID:1716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:13⤵PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 /prefetch:83⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:13⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:13⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:13⤵PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:13⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:13⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:13⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:13⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:13⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5052 /prefetch:83⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,11519617044805918348,17694987939009953042,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3372 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4992
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4992
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4452
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2b4 0x4481⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnprotectConvert.TS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5cb138796dbfb37877fcae3430bb1e2a7
SHA182bb82178c07530e42eca6caf3178d66527558bc
SHA25650c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd
SHA512287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5
-
Filesize
152B
MD5a9519bc058003dbea34765176083739e
SHA1ef49b8790219eaddbdacb7fc97d3d05433b8575c
SHA256e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b
SHA512a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53
-
Filesize
29KB
MD565ead7a27dac1b73fe999e0f0132855e
SHA1b0b964c23af25afe3d0d584223abd22ede25e480
SHA2567bf21b6c2b88a07469df61c5be02b7c88324b66d313214f90e56ef124bd46c2e
SHA5129e1ee7c968fd5dec54bd3a65e847a266bcc741ef7aaaadb6773ededf08e1d4fb84591c89e03f7791c812b2b2c549eb98b4fd07fae9a429602908f35e02824b75
-
Filesize
2KB
MD519dc58f433c19f96e43a0c70a1511218
SHA10bd2cfd8f04adc31501caf7965b2b9321caf4f61
SHA256362414b035e523c3a44c82fac9d9f1ceb04cef24341715b1306ffd7283239d54
SHA512ddae7c5bf633a6c9319c0b7802b16408cab74843eae2e4a4288f21e7b32bafae31f0d579d615533358c250e90a5cd1f9ac75a892d267fc3edc3c53a32e750c3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD584ca21146ce16d1542a7aee6097fb5a7
SHA138059b646ab1004f93c916d61b84d7ea4b8aa984
SHA256223f818cf5282b1bdc47960e86d136c0aa8cc33b89781c873636a866d2712889
SHA512197ed184cb4247343a1d16b60fcaa406f8b6c47b0ca14990892be805117245fddf06223af2ac87b3b70339b99d43e2d60475d642256cf14f69e0ab3c0956434e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD52002dacd1c111a94c761189d83dc3293
SHA16a59fe414c2fba128f7ea3d691bd2111b466f472
SHA2563a9763b11d6a65f54e7cf12ef0a2e037ccd454094ae5a3d9314da6e68fd873ff
SHA512f9eb1005e53d29713aed8719a791d0e50c9ad6475500f5df4a36a368d826cb4f3834da304057d1709b03b3b54983a89948d38466257cfe6229f5e036b2f786d2
-
Filesize
3KB
MD5878433ffc07ec9e6defda7fff264d1d8
SHA11bb0a423f1e1076bfb054838676d3407b35ee6f7
SHA2568203d074fe04b2ddb7a8e1b2f788f843e3b7f46382d864ea0bf759d2f026463b
SHA51241948b2c2d27bb42eadc43d85479563eb2827d8d7ac06e6c86863e52657b3b407daed9e65a75ae9e2c46cc2473e05e1c4970daa6a73ac039528014856cb5b6a8
-
Filesize
4KB
MD5b3df86f7553d9a200b29da18516a037f
SHA104ad4057b8d0f9de7ad5129b2f6b559ea6c2abcb
SHA2567a2130778811117a4148a2714301a73f89ecac09df36ee6f56bde7f11661c6af
SHA5127851c1ec523d926d91d11d73bb4e5fa772f81951bb03f1ec949d979f8b8b9210f3e6d9bafa12f07eeb090bbf53c7e816d00b92c2c976bf49950472acebe63c4d
-
Filesize
7KB
MD56ccf356cd7e021aceded058d04ceb999
SHA1b294ddba509931bff26aa4d9ec5c5b096fa388aa
SHA256b5c657d84d07ab5fbf089b228c3dcdb818d12e18d42699dd11c78b3dfc6d59e0
SHA512844ae8af6c369e171ec7e330f7f83bbc2ff36fde0996e7c888b48ed4630d06ebfbfb043370c546fb0bea63cf38ed289f5ad3943e168765a54003cc26cc293a89
-
Filesize
7KB
MD5a4a39e598b3fa22ea18b806848f325ff
SHA1c0583165ef310349eadc9c1bea97376e27f655bb
SHA25632125c67256c71f9c072fcc39564f29fa95f62d5c35dded1e15f1ad93a5ef9a9
SHA512581251ef842f1ff0b7d1ad14fb8762ea54cf56964ded6772ad118ca1fff0f73e0112a16d08e9453af1d565d73518e8c0d34e26c929f109506c88d126b0b0aaba
-
Filesize
6KB
MD50fdab2243df1fdbdf34ac8c0d504eb76
SHA176977cbcde84b36c773e325ae3a6c86bd7397bbe
SHA2564711c7618d480b5bfa29b67cef875d71253036684952e0f011ad722ea7bb57a6
SHA5128a859c1d5fa47a35d66570549858f744df33837f804e41a1d6de269cce0a43dc347b86910202156993d43a8e9f42bf9394d555e8f8b2750754fd601ac9c23a3c
-
Filesize
7KB
MD5c60f716a7b29df193bf78e25938ac2ce
SHA1ef3295d516f8f2fa84a988ab6e5dd03133da8c70
SHA256a7f8e84ec4d23d50ffda5859073e84895dd3b730a6469550b1b6da4ff3c5d857
SHA5125f0386f84f38c75d78bf98549886b9fd3b228d9de2173d58c136d31cdf7f3442fd38b86a65cc6c8d90f88d8ef34d40e987ec322c17b431cc203c6a246f3d20ba
-
Filesize
6KB
MD5a6594e0c87e6d00066ed985a2b754de9
SHA16a14b8727a30a620ae09c28cd581ca5aae15de02
SHA25633ab39bfb5ed786e732856a75c8520dda523aa04a37d47eb767adefef7bdb6ad
SHA51277c4fa378119d7962ba4e1401f86d916c92f42fdf07e50dcb63642a5657a1aab04d9aab20b89b731c44899baef6ec79fdb1f19daaf83dabdb8281b38703f8132
-
Filesize
1KB
MD589e8ce00957b94187b08c8ee1568ddf9
SHA17c63ffc1ee58495ecf832ba64b767e232f8457f8
SHA2562aa04b278a95779266fffbfb135831b31acd683d0ac6e57c371dd618d743ddba
SHA512bb2ecf62a49507e8bc222a853b76bb517844ca483d18e8b67428b1e6c2fac1e84c5fca2f8fe803bb9b9f37b419c3a23caadaa424c20bd24c8d093d97818105fc
-
Filesize
2KB
MD5c6789c57a1a1a8031483bcdf41c32e28
SHA1e4eea17098dc650e72aa8605901e0dfd63657ea0
SHA256d44914e1faad91ccd0777bad7f66f1206a7ce953f4a56ad625350b4b815d94ac
SHA51223006c0bda95eff69886ff2a55e6a9e0a28e86c4bfa47679d35c61f19e6005f6b36b8bad7a7977940815f3da2be8323a4d2ee356907b4750e485ce7505277696
-
Filesize
2KB
MD5d7a5b4c9c3a00b28f6f895d41536e943
SHA17252e54a0a87af08a1bcc52b9ab2de7926116eb5
SHA256809d8361b97231ffecca178a3435bdc386e2c4a7ddd72e6f9a9ad8ca287080ee
SHA5122792e1620417cc5d125c96c86c68704ebf82f08b5b0d16e2079fb9f514f3cbc927aead739d80f0642220cd514efd6b84dccc37b38d3f5deb7911b0434d7b3fc1
-
Filesize
2KB
MD56bf66dc06d18db1eebf96b63069a8343
SHA169ab964fa40ed0940ce175c01a64f5fd575028bf
SHA2564a76b03719aefd5f19b7252d650feb95a8344558849a375a93f6293fad4d0bf6
SHA51206c489cfb450a31aff5105f67ed6fde2a385e293e8827d88c53ae63bf0a43e97d532ed59e9401f824886c0886c550478e3ca86f080734f9081aff23db09cfa8e
-
Filesize
1KB
MD5fd1f63b3eb52bb8788e385b2c23918e0
SHA194a1f7f9ec093f7e0a95029f1ad7bd5215da0994
SHA2569885789e94f4b8e6e1b27af370898003fe798535452191768d012970f0793872
SHA512a62817e2d8e30a83a05147960acf8a73ee92a24802786f67f336c57916535474017dcc6654dc5c1e54f57c671f38505af7d68dfc2387309cde0694155f67054a
-
Filesize
2KB
MD517dbc82336ff3bf90f46b338a04c1ea1
SHA1bbcb8bf45980065ec074ebcccf97788af0e2049b
SHA25648d1042c559382fac99c4abe8282046514344fd4130630d51d1c7b39f68e190c
SHA5125b6afaa90a4219053119849e564b3257430ad869f310cf090d88d7bffba1a9fb236725e8b2b79f707ce1834d2908fcd7cd0bc54f19831bac00f3bf796108d960
-
Filesize
372B
MD50d072748c74a355c41a756a8fec16021
SHA1057efa0ea1ab58f3f3f7ec760db4f7bae1c7e611
SHA2560f54bbf297aeab9532fb6ce35655e550a767f5bba2eabcd27476ef05d6bcfbc8
SHA512bd55c48f673353cb27e01e02066cae75622b00cb3ee6174ac9b327c55b2e64f4d41ed1855539f4100f7ed8c31efcd7ec9750f5316a5d75205d251ebe2470c824
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5597f80cedbf99e9568b6e793b162314c
SHA1c98032b77a459669a1249d889ea7a2e6e6201cdb
SHA2563eaba3de4d87eb98553b62094e8b4b31b7057b6abc65cc61d8496e4bd8c8a5ee
SHA512cd8ea9e555825789ecf03e5b4d3fe08d3e1706915ca2aa8c32e9b5112b9f9c2d0619463134c892773d1d9e9c5f6e527c92913d59146f080ec3eee3b3d917bb2f
-
Filesize
11KB
MD53b5ee0d423d20987331bead2e96f97ba
SHA146d669ac9817b710fbaa8efb8df4ab87f1247be6
SHA2568c2c5ac30fb7c95eb1287bc982b486d7bd9c68b79969e7ecccd587d90299e29d
SHA5123b12bcd95146883afe88be0cbc76be94f2ad6b12adaea8787fb121c88ca02e5c596a801346dbcb7a35dc427ab92e474d46d34d1eda5bf0a1cdc77d89c0a0dc45
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84