hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/download/2[.]0/release[.]zip

Resubmissions

23-04-2024 22:18

240423-172znscc9t 10

23-04-2024 22:13

240423-15dt3acc6z 1

23-04-2024 22:09

240423-1286sscd67 1

Analysis

max time kernel
210s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583839844448012"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
3224	msedge.exe
3224	msedge.exe
3260	identity_helper.exe
3260	identity_helper.exe
4300	msedge.exe
4300	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
5916	chrome.exe
5916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe
Token: SeShutdownPrivilege	5916	chrome.exe
Token: SeCreatePagefilePrivilege	5916	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 1484	3224	msedge.exe	87
PID 3224 wrote to memory of 1484	3224	msedge.exe	87
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 732	3224	msedge.exe	88
PID 3224 wrote to memory of 5112	3224	msedge.exe	89
PID 3224 wrote to memory of 5112	3224	msedge.exe	89
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90
PID 3224 wrote to memory of 4476	3224	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80cb746f8,0x7ff80cb74708,0x7ff80cb74718
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7851209002605494480,10845055252092258836,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5628

C:\Users\Admin\Desktop\release\builder.exe
"C:\Users\Admin\Desktop\release\builder.exe"
1⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffff868ab58,0x7ffff868ab68,0x7ffff868ab78
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2304 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1884,i,14831508362427022976,5754234395855059923,131072 /prefetch:8
  2⤵
  PID:5484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3aff175f8c5e7c1bcac1cb0c89abf8f0

SHA1
527de3572d83849a776d236a734ebcafbe609121

SHA256
d0086d082b2004e895a91b82b7252fe1569b62668142257bf485f24509669ae3

SHA512
315ad69f4ff8f187cca5048322ec2744b88f9b83d9bd4777cae087e0433757ddf1b48c6c641e9a1be87bfb8e001316ddcd167470df97ade15b146cf0a5d9d31c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d52989127860658286c64358aa1be44c

SHA1
de7802b0443b5566136737d59be0c60332fed47c

SHA256
533690f91d0270f18731f92b4580846b5823c5affef446c17191111136fe3d11

SHA512
c9ecbab06d203b38577a74748ca5da2ced6e878dbe4ac69893bba785da1e28fd10829d8f9c5734aa213e91ea169322a4ec4a95619d5b1ffbc9dc43fd47e98d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a00da9ca7984263326954708ec867d6a

SHA1
ce6c8a0550068616a6b200e430a99290c4bf94de

SHA256
07512e51fd51ffe68e3c7c26eecf529b4765206b32aca2b0a19e0b34695e6dde

SHA512
e36882ae1413c1592019f20ae9d75e65b553f91fa6fa79ce1146739e99fce6feba68c9dd0a73e40c2dcee24e062724b3a0b12b42911b96333d094a587741cdae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
f0113e51d9c8090b3c1a839a9db5c448

SHA1
672c11c9d6688c4161ec6489b418d2b61579c081

SHA256
b818a2485809c867d8dce814d04a2fd344f1ee9745e01e21edf565953704fb76

SHA512
5113857c6e843923d41cf6e1d432fa77bf5393ccdb83577ce2e558ec870dd2d800df97abbeb549e3ef48d7ed79b914b7edcd0fb78270a74b5d8a9b854e1a592c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
77597f3e69df5155db42b22c77f3aaad

SHA1
9e675f8b2ff396c614e9e491971bd60f4d0e3468

SHA256
6287e777e05a6f40d8b73152f6e6577b16c90723400a66071769206762dfa0b4

SHA512
40e42bc063590f4b4ff10a0999e5b69fd6d9962306b397bfc16125eb7f0d90e856224f395105f12276656fc4b43541cc436265fd06d2ef552821ae9dabeb91cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80abd2e3687bdb466521a0e87aed36b9

SHA1
21d3a376757634d62f61a27d92cc602a0718cbb2

SHA256
0d5a355a1c6d1898b30a1dfb4b6f028619d834f948851f8bee7a05e1f9cfd4f3

SHA512
fde93756d5d8642227423d0718b29399a7b105ae641fc3c01f60d054ffe274d1d64b9cbcccf5e9f9134058a8fd306b370e98f9a4f0781c26f392c9d06021f092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0698843916ddb8c032a334acc0d5c110

SHA1
3ac1f069a3666d828206156908d52d712d7c2500

SHA256
142c66b38b89ff4a474cc0e485d3766a23bf7d504e56609174845fdfb92a44b3

SHA512
9a6b9e99df8b8483bd9b22ac0ae35121d9609421b84f6e1cd609e04e0515ff74e242d628c3c0c82f588e987c9b2c1e3986b5da090f87dc71f2f633fcd132fb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb29938a75cf1b5ab927ae7f51db5a24

SHA1
d6ead92df86634dd8dd45c125b69e79a32f1df69

SHA256
3e16c7c473d39fcd6e98f722d9af718e688879e946547ed7118d9ec71a1ae4db

SHA512
b7f17b1c20f55ca338f02edaea8e5b3c065108112c346cd2f60590657b379e48a07acb1e13d287198e79dea96623aa4ccb1d8aac6ac902a981744e14e5d01917

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
memory/6040-82-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/6040-78-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/6040-77-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/6040-76-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/6040-75-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/6040-73-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/6040-74-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download