discordrat | hxxps://gofile[.]io/d/6YiFME

Analysis

max time kernel
112s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/6YiFME

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
server_id
1250682422434074634

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

Processes:

flow	ioc
61	discord.com
104	discord.com
111	discord.com
64	discord.com
97	discord.com
98	discord.com
106	discord.com
110	discord.com
60	discord.com
81	discord.com
94	discord.com
100	discord.com
107	discord.com
82	discord.com
102	discord.com
105	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "120"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1356 msedge.exe
1356 msedge.exe
624 msedge.exe
624 msedge.exe
2340 identity_helper.exe
2340 identity_helper.exe
4308 msedge.exe
4308 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	msedge.exe

pid	process
1356	msedge.exe
1356	msedge.exe
624	msedge.exe
624	msedge.exe
2340	identity_helper.exe
2340	identity_helper.exe
4308	msedge.exe
4308	msedge.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
4992
904
3932
5152
1224
3100
5984
1236
5376
4256
5396
5416
4304
3252
1072
1832
448
4608
2984
1332
5488
3920
5312
2520
5764
4612
4028
3420
5580
5480
4936
5796
5848
2864
1444
3984
2928
1468
1372
4228
2052
828
3792
4480
2196
1196
1824
4184
4440
4968
2396
4792
3924
5040
3276
1632
3912
4764
2168
4240
1920
2424
5836
5644

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

compiler.execompiler.execompiler.execompiler.exe

description	pid	process
Token: SeDebugPrivilege	5588	compiler.exe
Token: SeDebugPrivilege	3324	compiler.exe
Token: SeDebugPrivilege	5668	compiler.exe
Token: SeDebugPrivilege	5852	compiler.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.execompiler.exe

pid	process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
5588	compiler.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1724 LogonUI.exe

pid	process
1724	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 624 wrote to memory of 1948	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 1948	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 4704	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 1356	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 1356	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe
PID 624 wrote to memory of 740	624	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/6YiFME
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef34646f8,0x7ffef3464708,0x7ffef3464718
2⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
2⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
2⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
2⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
2⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
2⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
2⤵
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
2⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
2⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
2⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,875176734433970772,2350185214039961773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5340

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5588

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5668

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /L
2⤵
PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\cdumper\setup.bat" "
1⤵
PID:4464

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3922855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
0fcd76e06379b537b18aba16ddb1e957

SHA1
1629a9ed3851ac056e52a5ed773815248264c0d2

SHA256
001b41c139362d1e7af62cb79c642dc50e8a93ef6da51f07c2f2c7f911d8ca8d

SHA512
0ae482dda63cc64debdeda411fa95758a4e82fe1ab38c0f90660f1d43c9a25e5f0767cb405bdec64f824eafc27bcd6680f7006e3ad0c35a3edd3cda743acfcb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
b3c9c65f75d59096142ba86c6fb3d0b2

SHA1
f76883f486e7e4b353f8e043e302bad4bdb990b4

SHA256
421763e3605de3ed826be76d4d326ffe2629869ae391f334cdbbb1460abfd019

SHA512
38139fcd573a4192a0f8a6071645c1311255dba50192cc2025a999aabff9d0ed0aefb910b9fbf0e7c1fcd4f9ae884fed81a81fa91f3082985ca9d771b29f47c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5f309fccbcb62626d45165d4fde752f2

SHA1
6efbad8f54e1fa8e18d6a214f44fcd4351e1f7f9

SHA256
26f14abc16379d8e49f03d7c184583d7154d9b435bf0806f316a21b2a1de01d3

SHA512
f1d23bcd9be31f563c1914e443d0c28f375741132dbcd709788dd96ecdbc4898b63adaced4a81cbdb0bfbe8302f009db34aad5c8ea62ef8fefec0bee8d2ccc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
75d4e2f6a3cdf2d281d1242b2e024d76

SHA1
7747e60dfdd6effa5ccdc87b652780fbda5f4cb0

SHA256
6f90a5cf4e7abf8d9820d40713a2577b1e6e7688ce039f6043dc83a94aa8112a

SHA512
3581b367e1faea69b7cfb338ed91356e8a80cdd96ffd5638180eafe8c46d83ed3ae5f4c96253eef153ddcfcc5e095ac7033773804dd63ec09b27f1b84b74affe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
52e9aca3dfc49e0f091db4517b101109

SHA1
9533b3b8cd2ad0e2ff541ed6f01c5c633075225b

SHA256
2504ca4237691077496570ea635a33bdb6df067cd45822fec0a58c6d544d5058

SHA512
4bc7dc45ae5716cd15b2c77c48bc5f98c9bfcee3775147435afe7bdb5ccc2874f7919eea8114ba119a9bcf99bafef81d99649fdca8dbea7ef08f379aeec5f30b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
626a3f70aa8cb52693d489cebde01984

SHA1
f130ddb2517b7e70bee7869e519f76c329641c7d

SHA256
92c7663e8d7127a728e94703a758d1b96128b7b94e7227a357d02a3b7f0677ef

SHA512
c135cc874ceec47e586d094cb1e9068f11d4eddf11425e2b3e3bc724956a8ed675253e326e0b91a5275a11421688f18f68026fed8e6b4bbe3094b86728899e52

Download Submit
C:\Users\Admin\Downloads\zip.zip
Filesize
29KB

MD5
b05c33e2ae171f3931ca355e4820cf62

SHA1
8f4ae9550a75fa1cf46b282b03cdb4f809e4ffc6

SHA256
74b6089379acff9803a37c3b5e8bc86c5877a319c4ced5a714ff9c9c63905188

SHA512
fafa0f20f07d20bf99304a087d27bb478c630f4e74aac8969a150cacb89120a8cdcd726a98110088cd5b8352e56b8afa19811445eb5ce6b9598dacaa5ca79766

Download Submit
\??\pipe\LOCAL\crashpad_624_KVAFELEUMQJXSTHB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5588-115-0x00000282B41B0000-0x00000282B41C8000-memory.dmp

Filesize
96KB

Download
memory/5588-116-0x00000282CE890000-0x00000282CEA52000-memory.dmp

Filesize
1.8MB

Download
memory/5588-117-0x00000282CF090000-0x00000282CF5B8000-memory.dmp

Filesize
5.2MB

Download