discordrat | hxxps://gofile[.]io/d/6YiFME

Analysis

max time kernel
102s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 14:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/6YiFME

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
server_id
1250682422434074634

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

Processes:

flow	ioc
23	discord.com
33	discord.com
49	discord.com
73	discord.com
89	discord.com
98	discord.com
4	discord.com
43	discord.com
82	discord.com
84	discord.com
86	discord.com
88	discord.com
25	discord.com
27	discord.com
94	discord.com
95	discord.com
68	discord.com
79	discord.com
90	discord.com
92	discord.com
96	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "225"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\zip.zip:Zone.Identifier msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\zip.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4196	msedge.exe
4196	msedge.exe
3460	msedge.exe
3460	msedge.exe
2508	msedge.exe
2508	msedge.exe
2892	identity_helper.exe
2892	identity_helper.exe
224	msedge.exe
224	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

compiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.execompiler.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	4680	compiler.exe
Token: SeDebugPrivilege	3808	compiler.exe
Token: SeDebugPrivilege	4676	compiler.exe
Token: SeDebugPrivilege	2148	compiler.exe
Token: SeDebugPrivilege	2084	compiler.exe
Token: SeDebugPrivilege	1596	compiler.exe
Token: SeDebugPrivilege	3116	compiler.exe
Token: SeDebugPrivilege	1164	compiler.exe
Token: SeDebugPrivilege	2384	compiler.exe
Token: SeDebugPrivilege	4640	compiler.exe
Token: SeDebugPrivilege	5204	compiler.exe
Token: SeDebugPrivilege	5284	compiler.exe
Token: SeDebugPrivilege	5376	compiler.exe
Token: SeDebugPrivilege	5456	compiler.exe
Token: SeDebugPrivilege	5556	compiler.exe
Token: SeDebugPrivilege	5644	compiler.exe
Token: SeDebugPrivilege	5740	compiler.exe
Token: SeDebugPrivilege	5832	compiler.exe
Token: SeDebugPrivilege	5924	compiler.exe
Token: SeDebugPrivilege	6016	compiler.exe
Token: SeDebugPrivilege	6104	compiler.exe
Token: SeDebugPrivilege	6156	compiler.exe
Token: SeDebugPrivilege	6248	compiler.exe
Token: SeDebugPrivilege	6340	compiler.exe
Token: SeDebugPrivilege	6436	compiler.exe
Token: SeDebugPrivilege	6528	compiler.exe
Token: SeDebugPrivilege	6616	compiler.exe
Token: SeDebugPrivilege	6712	compiler.exe
Token: SeDebugPrivilege	6796	compiler.exe
Token: SeDebugPrivilege	6876	compiler.exe
Token: SeDebugPrivilege	6976	compiler.exe
Token: SeDebugPrivilege	7084	compiler.exe
Token: SeDebugPrivilege	6320	compiler.exe
Token: SeDebugPrivilege	7176	compiler.exe
Token: SeDebugPrivilege	7260	compiler.exe
Token: SeDebugPrivilege	7356	compiler.exe
Token: SeDebugPrivilege	7448	compiler.exe
Token: SeDebugPrivilege	7584	compiler.exe
Token: SeDebugPrivilege	7676	compiler.exe
Token: SeDebugPrivilege	7776	compiler.exe
Token: SeDebugPrivilege	7920	compiler.exe
Token: SeDebugPrivilege	8160	compiler.exe
Token: SeDebugPrivilege	7200	compiler.exe
Token: SeDebugPrivilege	6432	compiler.exe
Token: SeDebugPrivilege	6872	compiler.exe
Token: SeDebugPrivilege	8068	compiler.exe
Token: SeDebugPrivilege	3916	compiler.exe
Token: SeShutdownPrivilege	7056	shutdown.exe
Token: SeRemoteShutdownPrivilege	7056	shutdown.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

msedge.exe

pid	process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

760 LogonUI.exe

pid	process
760	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3460 wrote to memory of 1404	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 1404	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4564	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4196	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 4196	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe
PID 3460 wrote to memory of 2248	3460	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/6YiFME
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9400c3cb8,0x7ff9400c3cc8,0x7ff9400c3cd8
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:8544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,9022132093784423030,14517298236188365228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:8516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1500

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5376

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5556

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5924

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6104

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6156

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6248

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6340

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6436

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6528

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6616

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6712

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6796

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6876

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6976

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7084

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6320

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7176

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7260

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7356

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7448

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7584

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7676

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7776

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7920

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8160

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7200

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6432

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6872

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8068
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7056

C:\Users\Admin\Desktop\cdumper\compiler.exe
"C:\Users\Admin\Desktop\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9a91b6dd57fc9c4880d34e9e7c6b760f

SHA1
77a09da6ef4343a8b232386e000cd2d6b9fc30a3

SHA256
0170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a

SHA512
9fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bbfb66ff6f5e565ac00d12dbb0f4113d

SHA1
8ee31313329123750487278afb3192d106752f17

SHA256
165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754

SHA512
8ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
5ab85f642f4509231d8398e512b3f9e8

SHA1
146aef5498a37b4db1fd82eb6270536993c2f571

SHA256
dd6c2854c264784911eb3c9c077f4ca4810bc6865fdd9bc94228408c002792b1

SHA512
8a6b78fcafec6d9d193ddfda5ddc69bda5133ab6cfe13d09316a73077c94c2c6829c96fcbf718f02c0a66508ca79c88fab83f36d7bed8f9b0fdeab6242d9cc05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
880c5d440f74b2649646e5b047776c3a

SHA1
0582f1f4e1ea64100f680374befe122027734f9e

SHA256
5da67da6896ef260a85ea4a4342d21bb328de799d03173dbe56975f443629d9d

SHA512
1e759bfa2af22ad10fce78dcd33f132390265970fbc95b7fa1dc10d62c4e88f9c42736cbbd5e986da708ac15d2606ecbb2a863376286098746e0d63bf7593452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
925bfbcb570a4dca1c3b50c8627b7e79

SHA1
3ab3a9b806afac0b80f18e4ab594a9d02fa3407b

SHA256
55832bb5228d06c7617917a42c2d29070a4369aa0512e1bf0b87b543e5947186

SHA512
e39d07c22a8bf38df336a46bc481695beb394cd2081ce6b1a453de35317fcd1dd7dddb1c9807b3c3f2f71a0f6651e0fe02c65c94c0af168425442dd7e1d88ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ede657dfd8f9fe996c01616e95edd35

SHA1
e6a9479c93f97dbf2fb33e87b0dfee8b6c894e01

SHA256
4e46d910cee714948edcca8759f8dfed3fa8b962eba4cdb1e4118d16eec21ba5

SHA512
08b5a495fed600fb8df1a750dee20dfc2535f302bfba49a04de923b8135e3e4fc3f679a2da03e141020f6d3e41f4d1955d7ed0517873a4bec665bae88c965c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1824dbd0bfd2fbf2acf213529dc44d3

SHA1
740c847b7d2e26ae2e037882a8a2fa9c50f8df6c

SHA256
209c1a3c37689abeb91e2f13bb58a5807bb5bb6dcbe361004dc66e547a87a821

SHA512
fda79bf8e8253c5368f6e3cb84a865498d001aeb521315fc3b301a8beb07af93c0118683ee3d65b9a25ac1957d1f7f4841531d466bb923f0fa667b75975de645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4acbafe86a757bc430de1ea056a1529

SHA1
7d1b89fa33ac058204446d068c9bb9f8c3238b23

SHA256
311dc9ab220ece9e2f28521923bcb8ca0d839d9c122c145479c2273804938837

SHA512
f0b89e214b2ffbc2a910affb78610e5794feec68ee24ea8ef609dc96e3face22202ab12861cff510cba97d946f85b11699614118257b7520fc22b31610e1c196

Download Submit
C:\Users\Admin\Downloads\zip.zip

Filesize
29KB

MD5
b05c33e2ae171f3931ca355e4820cf62

SHA1
8f4ae9550a75fa1cf46b282b03cdb4f809e4ffc6

SHA256
74b6089379acff9803a37c3b5e8bc86c5877a319c4ced5a714ff9c9c63905188

SHA512
fafa0f20f07d20bf99304a087d27bb478c630f4e74aac8969a150cacb89120a8cdcd726a98110088cd5b8352e56b8afa19811445eb5ce6b9598dacaa5ca79766

Download Submit
C:\Users\Admin\Downloads\zip.zip:Zone.Identifier

Filesize
150B

MD5
2b73e0bea5f60700411a84162a62a592

SHA1
2c789e985eec15f0add6bc8c58b95f77e2dcae59

SHA256
5dfa34e9167a49fe7d961f1226cdf07f01294aa2580bd440161bb18ec9842c10

SHA512
fbe3751fa405083a426dcf58f7fa21f1bccb6565bfd3f387503cde70c7e655d156dddc3bc7497a80ee8498d4b70d5d29befc4e9751b178cb3b1253e9b91aea14

Download Submit
\??\pipe\LOCAL\crashpad_3460_IYGYXWSYKYBYNUEU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4680-148-0x0000019E005F0000-0x0000019E00608000-memory.dmp

Filesize
96KB

Download
memory/4680-149-0x0000019E1ACF0000-0x0000019E1AEB2000-memory.dmp

Filesize
1.8MB

Download
memory/4680-150-0x0000019E1B540000-0x0000019E1BA68000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads