discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/tag/2[.]0

Analysis

max time kernel
560s
max time network
553s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0ODA1MTAzMTI0MjMxMzcyOA.GSglto.tKus9ie3Jr_GxIhcTDX1pX-nxnaULRh-fVMCu
server_id
1238082060959354881

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 2 IoCs

Processes:

Client-built.exeClient-built.exe

pid process

4368 Client-built.exe
3320 Client-built.exe

pid	process
4368	Client-built.exe
3320	Client-built.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exetaskmgr.exe

pid	process
4792	msedge.exe
4792	msedge.exe
4480	msedge.exe
4480	msedge.exe
4372	identity_helper.exe
4372	identity_helper.exe
4440	msedge.exe
4440	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4480 msedge.exe
4480 msedge.exe
4480 msedge.exe
4480 msedge.exe
4480 msedge.exe
4480 msedge.exe
4480 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Client-built.exeClient-built.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4368	Client-built.exe
Token: SeDebugPrivilege	3320	Client-built.exe
Token: SeDebugPrivilege	3756	taskmgr.exe
Token: SeSystemProfilePrivilege	3756	taskmgr.exe
Token: SeCreateGlobalPrivilege	3756	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4480 wrote to memory of 4336	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 4336	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 3000	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 4792	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 4792	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2708	4480	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba6a246f8,0x7ffba6a24708,0x7ffba6a24718
2⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
2⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
2⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4660

C:\Users\Admin\Desktop\release\builder.exe
"C:\Users\Admin\Desktop\release\builder.exe"
1⤵
PID:3648

C:\Users\Admin\Desktop\release\Client-built.exe
"C:\Users\Admin\Desktop\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\Desktop\release\Client-built.exe
"C:\Users\Admin\Desktop\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3756

C:\Windows\System32\rpvymf.exe
"C:\Windows\System32\rpvymf.exe"
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
29fda2d5380145a62ca8b8b53b42a281

SHA1
f0108fa0f0930a076c6ae0df5383a5ceac8aff7a

SHA256
358c76fc751a84f8955fb6597e4ec97dd233828326cb6449775e18be34dbf394

SHA512
630a3b625a7950e079a7c1edac5c1c299e784c6ad2ba68b08feb784160c9ef4cb0c04294ddf8e737e426882355fdacedacab34f64bb29d139635fbd45f3fd346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
34a72154ed9746a609b29d25ad8d6469

SHA1
ee1fc6413972b90af4973bc1c158c47011e757b5

SHA256
629a1e55ae58d7e9e13caf2aabc58ad73415b514df679a5e15ac561b1b549f10

SHA512
2789dcc6843a73666ed06d51a7bfb8e92dd7c0a82062dc0d252d883e4c943fc229932fdb1410e9d40d7a7dd965623f3df582640a0952adf7feb7e05a68e37d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56487a42aca1b9b5057a4631e1dfe2fd

SHA1
61a5d3f98ffc96c052c598a9515365812dd7aa84

SHA256
2ab2f4281338a032baa33758bf1c07d160f190cc9422ed0d2af0f01acf0fff15

SHA512
5b48765b1854990ee3094a259b374845c0239a82cb078d1c63313eec7d17c4dbee2ea4173cdfca6b50a72ca5fb04b08e07d4160e7373e3e693f0316e2a78f2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cabbd1d7b46dde4f46e019a3db67f759

SHA1
9ec05e56063a5656c06868083deb33b10635836a

SHA256
97b731dbdf8ed95634c84fe515cc8ed63ee1b46ceb6459b49e9c0ac17dbd1857

SHA512
d9aadd5ccb91d5de220aedf1aa57200278e5b363d5b4f1466a0a0e6e3df5a7a7d322b6fb99900b358dddb6669f35abedc2c3b4e84739e2341a0a53c55ffcb1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
536438f0263ef3021e34ddb89e9a1360

SHA1
dbfbe6ace8ea159db512fbda8550afdcbf336a52

SHA256
8cea703655a8ae515b5cb28d4512487ae1b4ae1c40a8e296a77cbd3e2a822e54

SHA512
77d792d277ee26661b7f49df8178ce5f8df6122e7435f44541f4a5e9b15520933e5cea8bdeeb3cf0a3d5b88e1c6cc9d689105599d06e1ae3dc902fccdd0cc500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32befa7127d1444f6a3bc8e489d48f9d

SHA1
4489442b00cf474863c9c4bcbe771d20532fc895

SHA256
25135013c08c9d7d149d31e70928de5feb5e8f30993321fce161b403d45a1578

SHA512
75e9576ccb1ea05a872659c7e7dd9ac87581464b0bc971350dc7d06f0f5ce6da89193f4a9e92f72eb0e9296312c530a1bf5c780faaa4880b85e2908b15a22833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b4c23c545e6253d15efafe1455cfb10

SHA1
b4a671ce7dc0e1d8c2bf8b79f192566051655078

SHA256
5485f66c3b019f39bd5723e29451c82e01c6748aa296cdca12172e1f5f28a46d

SHA512
e5651907962d5871ef6fe4bbe21d005cb40f1f300e543c766adfb10436c3eb75730b5ac6f27f273aec2657a644979b731df88f522a953ab095902fdef9fc3e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
b9d96f22da348d26fa1dc762812c7035

SHA1
5f6913260ff4ba4dbdc5bd22030bc1bd091dabcd

SHA256
63b5f2cf7764d69d6b858ca369a52ef4f0e8bdeac48b5a5bb3f1ac197b63da3b

SHA512
93f3ddf60739978dc2d7fa2834e9c5dba5c0f8b20f3c7d701648a087f5c0fa575f2dd49e847da9d8deee5facaaf352cf69fc84f00a4afcb4797340336d3b1703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
c80a46d759ddc8e66af17e15d7b3aa91

SHA1
115440e5c0eb50b515c794100baf79ea490222bd

SHA256
ea4f2dce84d2432ef44947cceb1cfbd5e22a9414e0ea30fcb0b64c8fcd048fc6

SHA512
6426f283132ccc7b05a061eda4a83039f96ef58e63f8e725afac72dc07030fdc176cf01f2563ed78885b323d3509a342758b34e3e169a83ae909932f8cb86738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579599.TMP

Filesize
874B

MD5
2656d5e4c4ff13fde56496fcaaead53b

SHA1
2002fb630d44cf967796835b10a9d96e7305553a

SHA256
c21b9e0f9591ab133e297b233ef44d3cf0472b703b89fa9ac6a2483528065910

SHA512
95459f71c0cdef4cc9abb7c7c35acee2053dfa486ade44762f09177f083c264a6caaa522a0920405d58bd471c2bcc74eb9492829a632a567097c4e2a95961eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
933348dafe7fd68c49cee3316e8b0e2f

SHA1
32a87b739c92c236f120a4b71518e0b4a3efd29a

SHA256
2909ad4c606768b09167dc6cac0c0cd96c7835e7c8af110ba490d267e5f910ff

SHA512
74013715a704b8e77447176512c1aee97e1323c9d4b457e018fe40398172ac3f99368cbced4b1de700a8179f7b80888241a39ba9753e1dc09c78f2cb47b48d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7df344db1dc8def4c474099101c5a657

SHA1
89e329b76824bce80b922a9cb0e7a30a3545319a

SHA256
08c79ad4ea8a123a815916cd11dc898d9dc7e78c082a80ae7d2f7728c4ddca2c

SHA512
aa4abdbe0be66ea1b58ec7344bd588f5d94dd8d91b7268874837aa4572351bf10b608328e6bf6b7fbc8cd5a431d9a3fe8197ed1a6208c2fd8a27104161c5e4f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8c73823c336ea8aa45e78a3441574ac

SHA1
c1facc18485cf92a15c46a3f258edca38dc53c3c

SHA256
a1ea472042b2dd3967a49ec567a91dabfe86e0e287c0bfa2e187725b94d3c317

SHA512
39a311b24ca912425c7542023e61548e278ae597411a9f98140e3665fb1d00173870840fca3cbcb7219c9c5aa8a38df53183c220fc809dd884eb2282185ccf83

Download Submit
C:\Users\Admin\Desktop\release\Client-built.exe

Filesize
78KB

MD5
1efdc99ac114ddf7496b173312420d89

SHA1
dfc5c20623d075dada1a1735d79bb13665a185ad

SHA256
f64c52fc8db13dfd887c132df3ecbbe37cc7900e1c6f02d7c343d670871eb466

SHA512
d1edfa1091b1008d6bca57c0db4caa0a0cf2336fa5cd0de2fc123187445f3ae5d7f5375fa923bba205f8ae34a28f0dce009e47029d7afabb1ae4f50a7193e155

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
\??\pipe\LOCAL\crashpad_4480_QSDOTWFPVTFVSFDV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3648-270-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/3648-271-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/3648-272-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/3648-273-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/3648-283-0x0000000005E90000-0x0000000005FB2000-memory.dmp

Filesize
1.1MB

Download
memory/3756-291-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-293-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-292-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-297-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-303-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-302-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-301-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-300-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-299-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/3756-298-0x00000280E5B20000-0x00000280E5B21000-memory.dmp

Filesize
4KB

Download
memory/4368-288-0x00000185283D0000-0x0000018528592000-memory.dmp

Filesize
1.8MB

Download
memory/4368-289-0x0000018528BD0000-0x00000185290F8000-memory.dmp

Filesize
5.2MB

Download
memory/4368-287-0x000001850DD70000-0x000001850DD88000-memory.dmp

Filesize
96KB

Download