discordrat | 20bc2be9597f976bd3c1bf989dba7c69100ffdf1822ee6a9fb692c5dbcbe2521

Resubmissions

25-07-2024 00:08

240725-ae97gawajm 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37dda433188cc44a429daa75ee65534e.jpg
Size

99KB
MD5

9f6c7fcff7e3e26851d2899247d44217
SHA1

ceaa809507add866adaf82070399f4ec587869cf
SHA256

20bc2be9597f976bd3c1bf989dba7c69100ffdf1822ee6a9fb692c5dbcbe2521
SHA512

ab7255e85a5694b6e43d24167b2081617e8acdb8c545e6956df77b3fa39f7e000ef4007028e78a67f5b2165d3c7f25ec3bd5d06fee02ac7a9481d9184da93d8a
SSDEEP

1536:ZMDFNrM4GFL/1CEV5WmxHSxZd+CCNC+G+vSFYrsHpxcPovRvP0IApE+60TA:Zu7r5GFNCAWmYVtFHvXxP0I2EcA

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
532	Client-built.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{40E05164-3FA7-40E4-8D4B-FE6848763ABA}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
996	msedge.exe
996	msedge.exe
3292	identity_helper.exe
3292	identity_helper.exe
4956	msedge.exe
4956	msedge.exe
3848	msedge.exe
3848	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	Client-built.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
3988	builder.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 4084	996	msedge.exe	97
PID 996 wrote to memory of 4084	996	msedge.exe	97
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 4388	996	msedge.exe	98
PID 996 wrote to memory of 816	996	msedge.exe	99
PID 996 wrote to memory of 816	996	msedge.exe	99
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100
PID 996 wrote to memory of 5012	996	msedge.exe	100

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\37dda433188cc44a429daa75ee65534e.jpg
1⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff94b8d46f8,0x7ff94b8d4708,0x7ff94b8d4718
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13199204438663025409,15732314591544876165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1856

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3988

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
39dfd4ea7f970ba79fbf2decdba043bf

SHA1
54926a161b55411a30828397741ecfdebc8f194b

SHA256
8c259e66e3ac2b137a9c488e66ad1c4c3d92cbc1546235a6f56f7d39840870be

SHA512
4110a21831d3690522df4948f8d631f380bf8dcc8423a085ee9900f3b3f4d7eaf85033153249c20338578bd797d1cf0750f540fefa9f15aefec50188dea45fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
989B

MD5
1cb03f102a07b056ab69612280735398

SHA1
9c6e605aa3a7d3d300e9a2ea8f6180fc1209fd99

SHA256
5666baf8ddf30b49ca46542069feeae8869a3838e006b5457fbd6586bc4023fe

SHA512
66116b115f816d7000aa6fa13c91df6311180c100f18876b49ada1fa21fb7bfe8e415abc76ae5b299c0d45323828545e907a05c53fe31d11eb35e52aaa97e596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4a6c51d17d27edec4fec74793f6e451

SHA1
6d2eca51396eaa2d30e1638906a8f4d3d27f9277

SHA256
1d43b4f5f9ee615b2621e753b3a62dd20f2c47957d5a66e9c7d2a4f3c0c64a68

SHA512
e68d039d3f415193e15a9900c1c26403ee50aa3c119867a759ad8791039f592cca738acaca37c8f33698ba5b8a73a627acdebc884cb2fbc657a8d114720a1b0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f928a88d5533bf36b312ce6b6c27a60

SHA1
bac223ab99f891a15f6ad72477f00776ed7d40d1

SHA256
ca9e1c254b7b7ada0640ca0398489527f4b877405e17df9b73659b7aec4994c3

SHA512
23a62d26343221279b9808c9692bb56da06431ae3917df50f6f65269d512e398a07eceb8cb6949936a60f48fcc1fd448ec49119fd5931fa4edf10a2790b2f297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd78e57ca20f8fbb4a929e247c0d95c2

SHA1
45f99f5c51a5a810dbb631336d9744bf552dab38

SHA256
67136a4e88968ae45c0b5375d1c4ba81e304073dec5cf1e66135e06c9cca2d96

SHA512
615778bb152bd6518859820c0859a3833ae2a742033439195034dcf062e6dba16d43e521b6a8abd5b41b159250fa46cb0257184e2e2abd3da7aaaccef5005a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb3f15e01e27a8b91ce14af5dcb534ca

SHA1
9ba0ded481669ea9519f0d1804821a05b6ff507f

SHA256
63f82896f3a93e62b748c2127b2f14f6eb067cd92c4ddb2088c61da2b78e994a

SHA512
78f8d5b78e66105b3cb69bd722244d25f321b2418e0003203d0fce5f51888edcbd8d9a2df2431d743f4522b3518401f9417f2459c7663820083709e5e2862da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e29b.TMP

Filesize
1KB

MD5
802fd2b861e00abb5e0671ccc3ecf8e3

SHA1
870bd5be44e18d3edce451777d2db2f6cc812ba4

SHA256
43cf47303cfbaa519d06301e05203b2b92f9516a8211c42ad3f7746f656866ce

SHA512
33a58d3e33ceac614f200156f4b306075bbad95cb30b44a356fe404d27639ba9fc93fba851f55e0990e952441977ba2022a75df712568f040c14ce68d6c56633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e363de0d-1e92-442e-aff8-8ed191cbc85b.tmp

Filesize
6KB

MD5
6ebca47a28139e716331dabbf07f5141

SHA1
5f5386c4d56bb048c935a08f6ab646a0081da5ce

SHA256
9356e50213dfa34c65f584bbbc47e165ec8675006369ca8c80e6d8010449773b

SHA512
7a6b0def638ecbc6c1a33dcf5545f5fa0970d74f3909ebb25cc0b04022c84722ddbc1c9f921e0d8178a496b2a991b5f2cc244b20afd1d86525698ab2a47eadda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8c594461fb1a4d53e0d4edfd1b959857

SHA1
7992bb3db9457eb5c06f706517976b3a55d3845d

SHA256
d834226912252b884c07ba428cfba2c8ae90d018ce376a19c23d407cc1920ce4

SHA512
814d518917f142449fa8ab3508a9957fa53ed2024b62a7ca8bde72aa1b8cd2553dd0dcafa42c282e9980399950f9fc498b854f548fe0fa90008b830ce845bc64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7cdfb933c52e2f1e58dc11212bf8349

SHA1
1fe41e4d098b1bd764657f10edb945819c820781

SHA256
96042c5b4fb3cf1f30796e8d3a116467df8eebe5c60598442dc0b970d4af1291

SHA512
e230bf48839f5c4ff6df316e781b8a5b18d83bdac35c4808804bcf2afff4bd05caeb0d01a91ae9920ece1f70864fd490d8ed06700d9c0a37010e27ec625c0bf0

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
5fa78b19ae158350ead3ef50feb6a7a2

SHA1
57d57ca525968fd9d5a9ee38e783e288896caa01

SHA256
1d4914ee768fbaf1b82a860ace972a01338c12a05ff7dbdde42bfab43b21a4d5

SHA512
c0d0803b5ceaa4c3013132ead8d8a95faae4a01933c41cb4c998572c2a31c971faab5bb2c488aee8d73a16a0037a78e09130e1ecd2804c40f0665399c404c00e

Download Submit
memory/532-443-0x000002C297CE0000-0x000002C297CF8000-memory.dmp

Filesize
96KB

Download
memory/532-444-0x000002C2B2410000-0x000002C2B25D2000-memory.dmp

Filesize
1.8MB

Download
memory/532-445-0x000002C2B2C10000-0x000002C2B3138000-memory.dmp

Filesize
5.2MB

Download
memory/3988-419-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/3988-420-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/3988-421-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/3988-422-0x0000000005790000-0x000000000579A000-memory.dmp

Filesize
40KB

Download
memory/3988-439-0x0000000008AA0000-0x0000000008BC2000-memory.dmp

Filesize
1.1MB

Download