discordrat | hxxps://mega[.]nz/folder/3ExDlT4b#3AwpMYtmlnh9srWS8RihVw

Resubmissions

02-08-2024 08:58

240802-kxgyratemk 10

09-07-2024 10:37

240709-mn12da1hnd 10

08-07-2024 09:32

240708-lhz2fssgrj 10

Analysis

max time kernel
81s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/3ExDlT4b#3AwpMYtmlnh9srWS8RihVw

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5NjA4ODM3NDEwOTQxNzYxMw.GXCO_h.FzCXXHzUl_a4K5zaggRAi_SdLV7ZD0of0VLMPY
server_id
1196038125751906374

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 5 IoCs

Processes:

generator.exegenerator.exegenerator.exegenerator.exegenerator.exe

pid process

3604 generator.exe
4928 generator.exe
4748 generator.exe
1340 generator.exe
5188 generator.exe

pid	process
3604	generator.exe
4928	generator.exe
4748	generator.exe
1340	generator.exe
5188	generator.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 199528.crdownload:SmartScreen msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 199528.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exe

pid	process
4840	msedge.exe
4840	msedge.exe
3716	msedge.exe
3716	msedge.exe
1748	identity_helper.exe
1748	identity_helper.exe
3568	msedge.exe
3568	msedge.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3716 msedge.exe
3716 msedge.exe
3716 msedge.exe
3716 msedge.exe
3716 msedge.exe
3716 msedge.exe
3716 msedge.exe
3716 msedge.exe
3716 msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

generator.exegenerator.exegenerator.exegenerator.exegenerator.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3604	generator.exe
Token: SeDebugPrivilege	4928	generator.exe
Token: SeDebugPrivilege	4748	generator.exe
Token: SeDebugPrivilege	1340	generator.exe
Token: SeDebugPrivilege	5188	generator.exe
Token: SeDebugPrivilege	6128	taskmgr.exe
Token: SeSystemProfilePrivilege	6128	taskmgr.exe
Token: SeCreateGlobalPrivilege	6128	taskmgr.exe
Token: 33	6128	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6128	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe
6128	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3716 wrote to memory of 1996	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1996	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 3428	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4840	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 4840	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe
PID 3716 wrote to memory of 1572	3716	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/3ExDlT4b#3AwpMYtmlnh9srWS8RihVw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa659646f8,0x7ffa65964708,0x7ffa65964718
2⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
2⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4688 /prefetch:8
2⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
2⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4804 /prefetch:8
2⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
2⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 /prefetch:8
2⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
2⤵
PID:792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,15659822424801692740,3820475472446795289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3568

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x33c
1⤵
PID:1972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4248

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5188

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
63d57cdbd63a922cab209d1077cc2b0e

SHA1
52f1e661f99cf07872b9339e8b28a040b3e80226

SHA256
3a8e1cc1f45236549d8c46e26b37c390afc8762c736ffced96468bbe6282ae08

SHA512
42ff391369fe9692cce4514fc03ccf0f55c71d1fed0f0e0b0856facc3825d88e6d0cac30a22fdbf179e3dd20af8415a9c3c29af3747843c1aa024d2ed585c655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
69cc4b3b372d9ea3417b562b0e9de666

SHA1
66fe70a64fca520788e79544abea6351cc50f2dc

SHA256
fd3d3e65a4645238188a31d3508bf9a261546754b9127f7a0c01e3a0fe264219

SHA512
4ce0910773f87ba425df21d34cdad1e02ff9b1d2090537df32dec0c74b4822f1bf2537064eab8f398afe37351d82c3e669075d6e574524f36bbd75401bb97eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
95920725d59e479cc1a2cff6bbb5b045

SHA1
8e329c7ce662daabd91e15d5d82d9e501310fdab

SHA256
94f4ab95f2af96f4112a1b0ce947eed941367bd422fc2078597cfe367cb15f96

SHA512
c53e293e07bc437fe958965b7fb1c0b1be2711eaff9a43a31c4098b476a271d28e87d9a527e13746beeab465abe6b8e4efa4e98eeffb43bb314b33209e78c903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4b956765d89d64c2df4177145da62455

SHA1
5cbf437f926dc2fa8239ff95d9eae2ad0f772a55

SHA256
8b9b1068e92e131d30fea1ed7316533eaed4b54dbe5c582d30d1df27fb68ed52

SHA512
5df01bcb09aaf0b12218a74e39237fbae8c0fffc41440be11491159c5f32a7b61ec5fd299939f2097241256337a9ccdb8a3dd336764ec783f1c575c999e31a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
079ba8a1f3c85958807b68c7e3a968af

SHA1
3bc47d10c8d9db5b577b0d5501406853b0d3796c

SHA256
afef19968756022b708de11b47fe38b0c1c0ddabf9d7d105c23ab200b0743999

SHA512
9b085bc2f253be33569a196605393277a584dff08c0164f5a114e1ffec73431c8a3e24f4e2e8a4416bcd631542a456b987b71367d8c595d9a2923d98c7ccd0fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ec35.TMP
Filesize
48B

MD5
f7995cda9571243ca90fd3e60c946862

SHA1
f2ecc41ae0897c43f15f206eac8bc47d64c329bf

SHA256
9b3c0cdec33026a95c5fe8bff33ebcee5c3c2c29948f085085f0301c046b0417

SHA512
f1ceb57172c87e39224cd229f460100f9fa8a43f0cc0a2c2c7eeb618e918d53fe951a6253dd91c731a7dd7dd5264e6d6d7fac521517d2e775ff8f9a5eaaebe0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fb1d4bb5694d20513e77ea7cb2debfe4

SHA1
54fa519cd1626972a15ba4ef9055b4a211ab6356

SHA256
3d3dde257b9cd526ed44732a81bba1f74d55a55ac02a49f6ec760e0a0f1b8374

SHA512
75d699b8050648ba66f73c10e14a789e1740dad5c76649fe7b29614dfbc5213050df8b5bbe1212ff6c1bdce0ffa45172d4dc687cc23eb68b523e9a60c89e7119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
17b3a5159e27eed44491d486d2a9b462

SHA1
cbef6d957df073313c8fc8ec44ce76491efd241f

SHA256
15e8712bca694617a090317bccb548169ef058df2afac7f651e36dc10105771f

SHA512
dc8a9e505fe5327f7bfee881b37621273080e5be0bed9e15d37a1482262d899e523234064672b11e552693b9a036615a41a4297039d9db671d109f6141690a9b

Download Submit
C:\Users\Admin\Downloads\generator.exe
Filesize
78KB

MD5
31bcda599c19f1632e95d5a507e0ebbf

SHA1
7c005dab2c1ffc4daba3f712a9cc2d8938fb8a4d

SHA256
f65160ca4fdef810b8f508ff89c5d6aa179f016a406daa6821cf547dfe6713ce

SHA512
575bda4b684b9cf786e2de32b69d5df31e49f15964113260b74058027a305985ea0538276717547ac630f1d07ef84913b5c21e9b32df6d28db0c5da637f944e5

Download Submit
\??\pipe\LOCAL\crashpad_3716_PPBVVWBCGWNELYBG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3604-224-0x0000012FD4AC0000-0x0000012FD4C82000-memory.dmp

Filesize
1.8MB

Download
memory/3604-225-0x0000012FD5F40000-0x0000012FD6468000-memory.dmp

Filesize
5.2MB

Download
memory/3604-223-0x0000012FBA3E0000-0x0000012FBA3F8000-memory.dmp

Filesize
96KB

Download
memory/6128-267-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-268-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-269-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-279-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-278-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-277-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-276-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-275-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-274-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download
memory/6128-273-0x0000023B43180000-0x0000023B43181000-memory.dmp

Filesize
4KB

Download