hxxp://discord[.]com

Analysis

max time kernel
459s
max time network
462s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://discord.com

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com
207	discord.com
5	discord.com
12	discord.com
8	discord.com
11	discord.com
15	discord.com
16	discord.com
19	discord.com
132	discord.com
314	discord.com
6	discord.com
133	discord.com
209	discord.com
313	discord.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Admin\Changelog.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Manager\Mentionable.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Misc\ServerInvite.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\AdminHandler.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\status\_internal\importlib_metadata-7.1.0.dist-info\RECORD	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\status\_internal\importlib_metadata-7.1.0.dist-info\WHEEL	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\node_modules\require-reload\tests\lib\node_modules\require-reload-test\package.json	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Misc\Discrim.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\events\guildRoleUpdate.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Dyno.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Music\index.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Music\Search.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Misc\Info.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\node_modules\require-reload\tests\lib\node_modules\require-reload-test\index.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Moderator\Kick.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Admin\LoadIPC.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Misc\Whois.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\structures\Command.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\events\guildMemberAdd.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Manager\Prefix.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\collections\ModuleCollection.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\CustomCommands\Parser.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\status\_internal\_bz2.pyd	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\node_modules\require-reload\tests\lib\time.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Moderator\Ignored.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Music\Queue.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Manager\Announce.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\node_modules\require-reload\LICENSE	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Manager\IgnoreChannel.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\managers\WebhookManager.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Music\Search.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\interfaces\EventCollection.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\status\_internal\multidict\_multidict.cp312-win_amd64.pyd	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Manager\Rolename.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\CommandHandler.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\managers\WebhookManager.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Admin\LoadModule.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\collections\CommandCollection.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\structures\Module.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\gulpfile.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Autoroles\Ranks.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Admin\LoadModule.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Moderator\Undeafen.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\status\_internal\attrs-23.2.0.dist-info\RECORD	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\structures\Base.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Dyno.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\redis.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\events\messageCreate.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\status\_internal\frozenlist\_frozenlist.cp312-win_amd64.pyd	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\VoiceTextLinking.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\node_modules\require-reload\tests\node_modules\require-reload-test\index.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Automod\index.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Music\Queue.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Music\Queue.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Music\Youtube.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\cluster\Server.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Admin\Eval.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\core\utils\Loader.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\DynoManager.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\MessageLogger.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Misc\RandomColor.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\ipc\reload.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\modules\Automod\Filter.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\Dyno\src\commands\Moderator\Deafen.js	msedge.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c00310000000000a858926d110050524f4752417e310000740009000400efbe874fdb49bb580e8b2e0000003f0000000000010000000000000000004a000000000021150b00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{45681CB7-9500-4C60-9A92-59F331EEC02F}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1720	NOTEPAD.EXE
1560	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1780	OpenWith.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1292	AUDIODG.EXE
Token: SeRestorePrivilege	2172	7zG.exe
Token: 35	2172	7zG.exe
Token: SeSecurityPrivilege	2172	7zG.exe
Token: SeSecurityPrivilege	2172	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	7zG.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
1780	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe
5724	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1720	1780	OpenWith.exe	150
PID 1780 wrote to memory of 1720	1780	OpenWith.exe	150

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://discord.com
1⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=3840,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:1
1⤵
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=3184,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=1644 /prefetch:1
1⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5240,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:8
1⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5252,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
1⤵
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --field-trial-handle=5620,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5724 /prefetch:1
1⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=6224,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6232 /prefetch:1
1⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6396,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:8
1⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6492,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:8
1⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6536,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:8
1⤵
- Modifies registry class
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5244,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:1
1⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5676,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:1
1⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5624,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6340 /prefetch:1
1⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5864,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1
1⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6900,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6992 /prefetch:1
1⤵
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6932,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6916 /prefetch:8
1⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5916,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5876 /prefetch:8
1⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7016,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:1
1⤵
PID:5908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7028,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:1
1⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=5388,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:1
1⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7388,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:8
1⤵
- Drops file in Program Files directory
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7208,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7172 /prefetch:8
1⤵
PID:3964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Dyno.rar
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7676,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:1
1⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=7164,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:1
1⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7548,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7396 /prefetch:8
1⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5464,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:8
1⤵
PID:908

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Nitro_Meth0d.rar
1⤵
- Opens file in notepad (likely ransom note)
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=7800,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7764 /prefetch:1
1⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7192,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:1
1⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7380,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8
1⤵
- Drops file in Program Files directory
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7400,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:8
1⤵
PID:5192

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\talkin-status.rar
1⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=7412,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:1
1⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=7496,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:1
1⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7352,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7652 /prefetch:8
1⤵
- Drops file in Program Files directory
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7176,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7396 /prefetch:8
1⤵
PID:2196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap734:78:7zEvent865
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=6352,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7404 /prefetch:1
1⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=6236,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:1
1⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=7976,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:1
1⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=7340,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:1
1⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5520,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=7480 /prefetch:8
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\Dyno\node_modules\require-reload\tests\node_modules\require-reload-test\index.js

Filesize
50B

MD5
dc35d3853ef43ec78ab87c4d3aa091af

SHA1
a43d054ac47a2efdb9bdf3c1e4c0ba4f9a43f57b

SHA256
259919c0d75b8aa85cec9574a99820ca01475c7b2dd5fe45967451b1e1f07713

SHA512
86a212c777eefee7c67e4cb6528452ffbe5f136382af88d707c34a9b84ac51338e5b56ff69327ed8b1062a6ecf332fc19fb24749cadec79f9b641d145beb1333

Download Submit