discordrat | hxxps://pastebin[.]com/G5gRi7mX

Analysis

max time kernel
954s
max time network
1053s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pastebin.com/G5gRi7mX

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE3MzA0MTUxODA0NzY2MjA5MA.Gt-8oB.7jzr-ASgHai4wKLOZjH1p7T1uv40vyGRujZEQ0
server_id
1264545346437255208

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
5160	Client-built.exe
4040	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 43 IoCs

Web Service

T1102

flow	ioc
248	pastebin.com
260	pastebin.com
316	pastebin.com
786	pastebin.com
895	pastebin.com
913	discord.com
253	pastebin.com
556	pastebin.com
798	pastebin.com
883	pastebin.com
915	pastebin.com
285	pastebin.com
450	pastebin.com
520	pastebin.com
876	pastebin.com
982	discord.com
206	pastebin.com
256	pastebin.com
796	pastebin.com
872	pastebin.com
907	discord.com
13	pastebin.com
403	pastebin.com
559	pastebin.com
737	pastebin.com
766	pastebin.com
904	pastebin.com
3	pastebin.com
320	pastebin.com
344	pastebin.com
760	pastebin.com
878	pastebin.com
886	pastebin.com
4	pastebin.com
5	pastebin.com
12	pastebin.com
411	pastebin.com
544	pastebin.com
891	pastebin.com
218	pastebin.com
407	pastebin.com
784	pastebin.com
917	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{2AABE001-2416-4507-96B4-8A145C251480}	msedge.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5160	Client-built.exe
Token: SeDebugPrivilege	2592	Discord rat.exe
Token: SeDebugPrivilege	2164	taskmgr.exe
Token: SeSystemProfilePrivilege	2164	taskmgr.exe
Token: SeCreateGlobalPrivilege	2164	taskmgr.exe
Token: 33	2164	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2164	taskmgr.exe
Token: SeDebugPrivilege	4040	Client-built.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe
2164	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2572	StartMenuExperienceHost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/G5gRi7mX
1⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4188,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:1
1⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4040,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:1
1⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5388,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8
1⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5416,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:8
1⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5808,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:8
1⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6072,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:1
1⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6192,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:1
1⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6420,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6380 /prefetch:1
1⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6540,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:1
1⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6580,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:1
1⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6508,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6536 /prefetch:1
1⤵
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=7144,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7124 /prefetch:1
1⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7364,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7276 /prefetch:1
1⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7648,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7636 /prefetch:1
1⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7808,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7668 /prefetch:1
1⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7936,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7952 /prefetch:1
1⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=8088,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8120 /prefetch:1
1⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=8080,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8224 /prefetch:1
1⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6864,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8420 /prefetch:8
1⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=7480,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8528 /prefetch:1
1⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8092,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8684 /prefetch:1
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8844,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8868 /prefetch:1
1⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8980,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8972 /prefetch:1
1⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=9180,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=9036 /prefetch:1
1⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=7344,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=9340 /prefetch:1
1⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=9184,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=9336 /prefetch:1
1⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=9644,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=9660 /prefetch:1
1⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=6108,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:1
1⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=8212,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8408 /prefetch:1
1⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=6124,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8968 /prefetch:1
1⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=9364,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=9324 /prefetch:1
1⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=8364,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8060 /prefetch:8
1⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=8308,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:8
1⤵
- Modifies registry class
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=9124,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:1
1⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=8704,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=8028 /prefetch:8
1⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=8024,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7464 /prefetch:1
1⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=10208,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=10180 /prefetch:8
1⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=5660,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:1
1⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8776,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=10312 /prefetch:8
1⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5476,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
1⤵
PID:5928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1180

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2860

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=6276,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:1
1⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=9928,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=9940 /prefetch:1
1⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=10316,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=10328 /prefetch:1
1⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=6916,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:1
1⤵
PID:5064

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=9648,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=9920 /prefetch:1
1⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --field-trial-handle=10356,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:1
1⤵
PID:5920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=8416,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
25e5d8434b0f118a523fffee4cdf5519

SHA1
2730e2efec8237854eb06f91f07425a7f4e54afb

SHA256
b34efbdf003b8573806631a8eb4b7f1581020e3bffb9f9a7f0d9b62991249113

SHA512
0e5f8a7361f4c5a934bb4df773ad89af1e5e6b447c528d955aa75066d5d55c51c6832bdc0041cf4dbd8d7ef3e2533649bbbdf8a2513383eded515fd877f55eac

Download Submit
memory/2164-28-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-29-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-30-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-31-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-32-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-33-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-34-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-23-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-24-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2164-22-0x000001B610A90000-0x000001B610A91000-memory.dmp

Filesize
4KB

Download
memory/2592-19-0x000001E5F7F50000-0x000001E5F7F68000-memory.dmp

Filesize
96KB

Download
memory/2860-7-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-4-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-1-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2860-2-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/2860-3-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/2860-5-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/2860-21-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-6-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2860-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2860-8-0x00000000063E0000-0x0000000006502000-memory.dmp

Filesize
1.1MB

Download
memory/5160-12-0x00007FF88FB53000-0x00007FF88FB55000-memory.dmp

Filesize
8KB

Download
memory/5160-13-0x0000020213950000-0x0000020213968000-memory.dmp

Filesize
96KB

Download
memory/5160-14-0x000002022DFD0000-0x000002022E192000-memory.dmp

Filesize
1.8MB

Download
memory/5160-15-0x00007FF88FB50000-0x00007FF890611000-memory.dmp

Filesize
10.8MB

Download
memory/5160-18-0x00007FF88FB50000-0x00007FF890611000-memory.dmp

Filesize
10.8MB

Download
memory/5160-17-0x00007FF88FB53000-0x00007FF88FB55000-memory.dmp

Filesize
8KB

Download
memory/5160-16-0x000002022F290000-0x000002022F7B8000-memory.dmp

Filesize
5.2MB

Download