Analysis
-
max time kernel
560s -
max time network
553s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 10:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0
Malware Config
Extracted
discordrat
-
discord_token
MTI0ODA1MTAzMTI0MjMxMzcyOA.GSglto.tKus9ie3Jr_GxIhcTDX1pX-nxnaULRh-fVMCu
-
server_id
1238082060959354881
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 2 IoCs
pid Process 4368 Client-built.exe 3320 Client-built.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4792 msedge.exe 4792 msedge.exe 4480 msedge.exe 4480 msedge.exe 4372 identity_helper.exe 4372 identity_helper.exe 4440 msedge.exe 4440 msedge.exe 4524 msedge.exe 4524 msedge.exe 4524 msedge.exe 4524 msedge.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4368 Client-built.exe Token: SeDebugPrivilege 3320 Client-built.exe Token: SeDebugPrivilege 3756 taskmgr.exe Token: SeSystemProfilePrivilege 3756 taskmgr.exe Token: SeCreateGlobalPrivilege 3756 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe 3756 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 4336 4480 msedge.exe 81 PID 4480 wrote to memory of 4336 4480 msedge.exe 81 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 3000 4480 msedge.exe 82 PID 4480 wrote to memory of 4792 4480 msedge.exe 83 PID 4480 wrote to memory of 4792 4480 msedge.exe 83 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84 PID 4480 wrote to memory of 2708 4480 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.01⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba6a246f8,0x7ffba6a24708,0x7ffba6a247182⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:82⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4117255543318902118,15336386669599411491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4424
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2212
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4660
-
C:\Users\Admin\Desktop\release\builder.exe"C:\Users\Admin\Desktop\release\builder.exe"1⤵PID:3648
-
C:\Users\Admin\Desktop\release\Client-built.exe"C:\Users\Admin\Desktop\release\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
C:\Users\Admin\Desktop\release\Client-built.exe"C:\Users\Admin\Desktop\release\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3756
-
C:\Windows\System32\rpvymf.exe"C:\Windows\System32\rpvymf.exe"1⤵PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD529fda2d5380145a62ca8b8b53b42a281
SHA1f0108fa0f0930a076c6ae0df5383a5ceac8aff7a
SHA256358c76fc751a84f8955fb6597e4ec97dd233828326cb6449775e18be34dbf394
SHA512630a3b625a7950e079a7c1edac5c1c299e784c6ad2ba68b08feb784160c9ef4cb0c04294ddf8e737e426882355fdacedacab34f64bb29d139635fbd45f3fd346
-
Filesize
496B
MD534a72154ed9746a609b29d25ad8d6469
SHA1ee1fc6413972b90af4973bc1c158c47011e757b5
SHA256629a1e55ae58d7e9e13caf2aabc58ad73415b514df679a5e15ac561b1b549f10
SHA5122789dcc6843a73666ed06d51a7bfb8e92dd7c0a82062dc0d252d883e4c943fc229932fdb1410e9d40d7a7dd965623f3df582640a0952adf7feb7e05a68e37d5c
-
Filesize
6KB
MD556487a42aca1b9b5057a4631e1dfe2fd
SHA161a5d3f98ffc96c052c598a9515365812dd7aa84
SHA2562ab2f4281338a032baa33758bf1c07d160f190cc9422ed0d2af0f01acf0fff15
SHA5125b48765b1854990ee3094a259b374845c0239a82cb078d1c63313eec7d17c4dbee2ea4173cdfca6b50a72ca5fb04b08e07d4160e7373e3e693f0316e2a78f2ba
-
Filesize
5KB
MD5cabbd1d7b46dde4f46e019a3db67f759
SHA19ec05e56063a5656c06868083deb33b10635836a
SHA25697b731dbdf8ed95634c84fe515cc8ed63ee1b46ceb6459b49e9c0ac17dbd1857
SHA512d9aadd5ccb91d5de220aedf1aa57200278e5b363d5b4f1466a0a0e6e3df5a7a7d322b6fb99900b358dddb6669f35abedc2c3b4e84739e2341a0a53c55ffcb1f1
-
Filesize
6KB
MD5536438f0263ef3021e34ddb89e9a1360
SHA1dbfbe6ace8ea159db512fbda8550afdcbf336a52
SHA2568cea703655a8ae515b5cb28d4512487ae1b4ae1c40a8e296a77cbd3e2a822e54
SHA51277d792d277ee26661b7f49df8178ce5f8df6122e7435f44541f4a5e9b15520933e5cea8bdeeb3cf0a3d5b88e1c6cc9d689105599d06e1ae3dc902fccdd0cc500
-
Filesize
6KB
MD532befa7127d1444f6a3bc8e489d48f9d
SHA14489442b00cf474863c9c4bcbe771d20532fc895
SHA25625135013c08c9d7d149d31e70928de5feb5e8f30993321fce161b403d45a1578
SHA51275e9576ccb1ea05a872659c7e7dd9ac87581464b0bc971350dc7d06f0f5ce6da89193f4a9e92f72eb0e9296312c530a1bf5c780faaa4880b85e2908b15a22833
-
Filesize
6KB
MD51b4c23c545e6253d15efafe1455cfb10
SHA1b4a671ce7dc0e1d8c2bf8b79f192566051655078
SHA2565485f66c3b019f39bd5723e29451c82e01c6748aa296cdca12172e1f5f28a46d
SHA512e5651907962d5871ef6fe4bbe21d005cb40f1f300e543c766adfb10436c3eb75730b5ac6f27f273aec2657a644979b731df88f522a953ab095902fdef9fc3e18
-
Filesize
874B
MD5b9d96f22da348d26fa1dc762812c7035
SHA15f6913260ff4ba4dbdc5bd22030bc1bd091dabcd
SHA25663b5f2cf7764d69d6b858ca369a52ef4f0e8bdeac48b5a5bb3f1ac197b63da3b
SHA51293f3ddf60739978dc2d7fa2834e9c5dba5c0f8b20f3c7d701648a087f5c0fa575f2dd49e847da9d8deee5facaaf352cf69fc84f00a4afcb4797340336d3b1703
-
Filesize
874B
MD5c80a46d759ddc8e66af17e15d7b3aa91
SHA1115440e5c0eb50b515c794100baf79ea490222bd
SHA256ea4f2dce84d2432ef44947cceb1cfbd5e22a9414e0ea30fcb0b64c8fcd048fc6
SHA5126426f283132ccc7b05a061eda4a83039f96ef58e63f8e725afac72dc07030fdc176cf01f2563ed78885b323d3509a342758b34e3e169a83ae909932f8cb86738
-
Filesize
874B
MD52656d5e4c4ff13fde56496fcaaead53b
SHA12002fb630d44cf967796835b10a9d96e7305553a
SHA256c21b9e0f9591ab133e297b233ef44d3cf0472b703b89fa9ac6a2483528065910
SHA51295459f71c0cdef4cc9abb7c7c35acee2053dfa486ade44762f09177f083c264a6caaa522a0920405d58bd471c2bcc74eb9492829a632a567097c4e2a95961eea
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5933348dafe7fd68c49cee3316e8b0e2f
SHA132a87b739c92c236f120a4b71518e0b4a3efd29a
SHA2562909ad4c606768b09167dc6cac0c0cd96c7835e7c8af110ba490d267e5f910ff
SHA51274013715a704b8e77447176512c1aee97e1323c9d4b457e018fe40398172ac3f99368cbced4b1de700a8179f7b80888241a39ba9753e1dc09c78f2cb47b48d0e
-
Filesize
10KB
MD57df344db1dc8def4c474099101c5a657
SHA189e329b76824bce80b922a9cb0e7a30a3545319a
SHA25608c79ad4ea8a123a815916cd11dc898d9dc7e78c082a80ae7d2f7728c4ddca2c
SHA512aa4abdbe0be66ea1b58ec7344bd588f5d94dd8d91b7268874837aa4572351bf10b608328e6bf6b7fbc8cd5a431d9a3fe8197ed1a6208c2fd8a27104161c5e4f1
-
Filesize
11KB
MD5c8c73823c336ea8aa45e78a3441574ac
SHA1c1facc18485cf92a15c46a3f258edca38dc53c3c
SHA256a1ea472042b2dd3967a49ec567a91dabfe86e0e287c0bfa2e187725b94d3c317
SHA51239a311b24ca912425c7542023e61548e278ae597411a9f98140e3665fb1d00173870840fca3cbcb7219c9c5aa8a38df53183c220fc809dd884eb2282185ccf83
-
Filesize
78KB
MD51efdc99ac114ddf7496b173312420d89
SHA1dfc5c20623d075dada1a1735d79bb13665a185ad
SHA256f64c52fc8db13dfd887c132df3ecbbe37cc7900e1c6f02d7c343d670871eb466
SHA512d1edfa1091b1008d6bca57c0db4caa0a0cf2336fa5cd0de2fc123187445f3ae5d7f5375fa923bba205f8ae34a28f0dce009e47029d7afabb1ae4f50a7193e155
-
Filesize
445KB
MD506a4fcd5eb3a39d7f50a0709de9900db
SHA150d089e915f69313a5187569cda4e6dec2d55ca7
SHA256c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
SHA51275e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b