Resubmissions
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 23:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/folder/bEMUjBrK#dSqYdVa8Jk8vsVl_um5USw
Resource
win10v2004-20240426-en
General
-
Target
https://mega.nz/folder/bEMUjBrK#dSqYdVa8Jk8vsVl_um5USw
Malware Config
Extracted
discordrat
-
discord_token
MTI0ODAxODg4MTEwMDkxMDYwMw.GRaXlf.ylaGWSJsDFw8FuU8OAZhB6MI1OqGbyePmWUsTg
-
server_id
1248018097349197876
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 2 IoCs
pid Process 5280 Client-built.exe 3036 Client-built.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 6112 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1688 msedge.exe 1688 msedge.exe 2640 msedge.exe 2640 msedge.exe 2280 identity_helper.exe 2280 identity_helper.exe 5228 msedge.exe 5228 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5280 Client-built.exe Token: SeDebugPrivilege 5532 Discord rat.exe Token: SeDebugPrivilege 3036 Client-built.exe Token: SeDebugPrivilege 2616 taskmgr.exe Token: SeSystemProfilePrivilege 2616 taskmgr.exe Token: SeCreateGlobalPrivilege 2616 taskmgr.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe -
Suspicious use of SendNotifyMessage 54 IoCs
pid Process 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe 2616 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2108 2640 msedge.exe 82 PID 2640 wrote to memory of 2108 2640 msedge.exe 82 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 3140 2640 msedge.exe 83 PID 2640 wrote to memory of 1688 2640 msedge.exe 84 PID 2640 wrote to memory of 1688 2640 msedge.exe 84 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85 PID 2640 wrote to memory of 1752 2640 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/bEMUjBrK#dSqYdVa8Jk8vsVl_um5USw1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddd8146f8,0x7ffddd814708,0x7ffddd8147182⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4748 /prefetch:82⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:82⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6068 /prefetch:82⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:12⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8875327450068880397,9545623437473833886,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5344 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4280
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:964
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c 0x50c1⤵PID:3628
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5800
-
C:\Users\Admin\Desktop\release\builder.exe"C:\Users\Admin\Desktop\release\builder.exe"1⤵PID:6008
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\release\ae.txt1⤵
- Opens file in notepad (likely ransom note)
PID:6112
-
C:\Users\Admin\Desktop\release\Client-built.exe"C:\Users\Admin\Desktop\release\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5280
-
C:\Users\Admin\Desktop\release\Release\Discord rat.exe"C:\Users\Admin\Desktop\release\Release\Discord rat.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5532
-
C:\Users\Admin\Desktop\release\Client-built.exe"C:\Users\Admin\Desktop\release\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5c6c87b1fff4b59daf5e4c5a1c3b84b70
SHA195554c1c49c2d6cb24caeed447d5b775c9c04c29
SHA25649f4fa41e82caa47c64e821f7969608883ff5fe8e5f994d4eb55c467d15eccf7
SHA5128e773168d9ad81f8d45321e74d5e90769ce0172545a74145c92d958a3cff6718d855dacee26712d8ff32a8fd47f432e6334208ef04f370ea77122fa85ae4c776
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD56a0738a7627094bcd1909d341b42f09a
SHA1c0dfdeee58ceb7acb62d288cb51ef90d2f7de708
SHA2567552a13c306125f354b309c1aeef629f4eec3fbfd31846b011cac6606094934b
SHA512275380e541a694c35a8afed67d3c855a901b5893185bf515cce8326081182951b8909b9c36299f9fba61a363bf1bf70b99316cce26ca2f09344643b49a19dbff
-
Filesize
5KB
MD582cc3d273e599ec5b95213f4e33a5de0
SHA12911a739e2fb067fa0755ef60f26c9277ca00c83
SHA25679d289422109333af525a2f170ecb8783a71b14b1af717451fd22982e1e78f84
SHA5125d869416eb369ba3a5fded7d06ca965bee068e2f9291829597e4cc6d3b228c30edc0a732b4649d8d4e8b5a6d5b721a9ab22264ebe581cc9a121856e0baafd75c
-
Filesize
6KB
MD533db3bd3b8d18a675881d50d91cfc934
SHA1635c676ee36cc10571446d117fb322f06663efc0
SHA256375cdeb2cc682155287943629a3d38e0292487bd022983178c4dde0d90e66ba6
SHA512e0b8df272be5c8a9f2f004f1422de825d521db47fb2d91f83ca83e75f378ae343120af6378ab9571673d7e6d5a80bce376c983f6ade395d112952b10fa59e91e
-
Filesize
6KB
MD51eeec903aaf30395647f930ccae989f4
SHA1f40154c2fd14041819b049ceb200ff0b053d7270
SHA256b4b79c32b91066dedfc05411701be68fd224358a949e0fc9593951a494d7e5fa
SHA5120c78545a59a5743904e23a81516a58ebc9e65798b98ca0e630a7a6d87ff86565fc132783da045cc91c3e830c584297b713fcfcc00d4d075197bff5915d175748
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD548b347ba7ed182588945babdd00a665f
SHA1ff94fdca7c26f0782879bd3819b1c846245f554b
SHA256816f2b6f499340344ec6edb7644b2e0bc090024f6ae18703987a7aba8137360b
SHA5123e3eeb8f91d43a7a6d50889053b2c028722a8ebeadae35a1c239cd02117c38879dbd2aee051ac8c7236a65f3f35d3936108cada028e4944dfcb8b87319fc0455
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579e43.TMP
Filesize48B
MD58ff53a37ea15790145db587b1d3c9be9
SHA1a1ab08350fcb4ec59efe0efb0aca66e9f3f35755
SHA256ec8fb90f419bf5d5f061b78d5ba6810a467fc1e5665297ed45cd8fba2fb19836
SHA512f51bb34a69fd0182ab1abda4707cc277baa94f0f29ed61abe49de0d78efea49b128fe5fb1b31097454351b8a4a13dd64845001db3d6d0b48bc90ad51aafbb398
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD59f223d77943fe7b5129cec3fd0348fe0
SHA1a5029a5fb4cbaa9f0777b36b50155f2fcb60a152
SHA256ef5319d6bc739b2d8a3b45cca8a685c3ea746591a69dc342134b4e3fb7b42abb
SHA5123dbc9bd63dc987ed8dc70e02f5513721f4f032c3fc1549b56b5d5de9974b0d06a484f6c2c916c232258ff8e437ebed5d0269ac6d7d1fee47905eaa95fd4a4ade
-
Filesize
10KB
MD5ce833f15fd2c949c3437912f3d0445f6
SHA10ccbb8dcb87ecb3ea0c26e04262654db00d51ec4
SHA2562bb02961d9f49939a31e86abdc4f0c0ad96cbd3ee483ff65654d13be29d6a724
SHA512b8f8b433d32f5e757e3e309f0238ac62ccce042a06609be41652d80833168ed386defc0403986583ea399b5acb00b9dda3e0784312dd307e301636e8415be714
-
Filesize
78KB
MD5cc9554445f69381ef54240496ac7795c
SHA1dc86958547617c61d2c209490f0ad016ef2a3000
SHA256dbc0ed5b9de7972ebdb15393453d62d118358ae9e6e491ebd9b874544feef12e
SHA51291db9d9c0c520ce12fa36c8b8024a0b48ef7a2f508d0bb4c4904d54cc0570624808011712c1c8b18a3bfbc144c4f045bd30cfed26d8f32f0c27f4f21ad98d4b3
-
Filesize
1.2MB
MD5ddfe3dce9d847fb0ebb3ff65c05764b1
SHA1bf5b875cd14710311117ddc47546ef1f70f26b1c
SHA2560509e9b56f1cfa5da0f081b0e060d4789d41a73df0aa0d03ada199a70c2e3c7a
SHA5125392c5aa2efa47850603b2837ecf04aa348ef8a2abc5f47125049bf322684d8ef7196d82e8749b6f5c1f8a9c250fa29a0be59a90eb0168d16eda4783ac4cd4df