discordrat | hxxps://file[.]io/6sMcezuQw9Mp

Analysis

max time kernel
285s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/6sMcezuQw9Mp

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4MzQ3NTA4NjEzNzEwMjQ0OQ.GohUoa.TpdOX2yxlyRPvT6sMweF8ZC5EEljizeIIXdae4
server_id
1283475329184305224

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
4864	BootstrapperV1.18.exe
3020	BootstrapperV1.18.exe
3092	BootstrapperV1.18.exe
1148	BootstrapperV1.18.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 174908.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
388	msedge.exe
388	msedge.exe
4144	msedge.exe
4144	msedge.exe
2996	identity_helper.exe
2996	identity_helper.exe
2128	msedge.exe
2128	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	BootstrapperV1.18.exe
Token: SeDebugPrivilege	3020	BootstrapperV1.18.exe
Token: SeDebugPrivilege	3092	BootstrapperV1.18.exe
Token: SeDebugPrivilege	1148	BootstrapperV1.18.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 224	4144	msedge.exe	83
PID 4144 wrote to memory of 224	4144	msedge.exe	83
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 2252	4144	msedge.exe	84
PID 4144 wrote to memory of 388	4144	msedge.exe	85
PID 4144 wrote to memory of 388	4144	msedge.exe	85
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86
PID 4144 wrote to memory of 4792	4144	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://file.io/6sMcezuQw9Mp
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdffd46f8,0x7ffbdffd4708,0x7ffbdffd4718
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7784 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8108 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8444 /prefetch:8
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- C:\Users\Admin\Downloads\BootstrapperV1.18.exe
  "C:\Users\Admin\Downloads\BootstrapperV1.18.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,2931027461570173477,1456206997487966459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2888

C:\Users\Admin\Downloads\BootstrapperV1.18.exe
"C:\Users\Admin\Downloads\BootstrapperV1.18.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Users\Admin\Downloads\BootstrapperV1.18.exe
"C:\Users\Admin\Downloads\BootstrapperV1.18.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Users\Admin\Downloads\BootstrapperV1.18.exe
"C:\Users\Admin\Downloads\BootstrapperV1.18.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
485ba57ff3002dd28a70081ba60f81ae

SHA1
022293ebde7165d9a28e41abb40635bea6622dd3

SHA256
7717f9ff2062f0eb5fb30ae127fa8016d1175f567ee18d70b8c1a3ec4dcbf014

SHA512
b7b87f87de0b0a18cab98f5a3b35c1122e69d52b85d540fca4c67da2e48e23166b7168f458b1478337a0524a46c45b635df98343c9169b44366651f3ead3ade1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
873c184150306bb823642e10ce2cc69f

SHA1
1edf229a8e1b5f89cda8b1fea730a039e99b8c82

SHA256
4d2b7ff4afe33f91d9570896d9e0e8079955ff19ad7a36d30bde94378baeab04

SHA512
04d56cff37239c10914d8755f60017bfc16eec21a48923544908d19c5d0fca59278005247b0bede93561fb28b2e7724d41ed03724aaf217ee9c62873be7fd3e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
cdaf8768444df47cecfdf8c0d364b47c

SHA1
d06f01d83816f015b860beea785f0010a64c56d9

SHA256
c2da63c7c792c29a1574b633546945455c17d8959014bfbc321f4093e918b73e

SHA512
cd5bb84900d305b9403a8821ee8023e18d1e633e34ccfc13345a6339f59e41fbe36e15a83d1029b24c42bc461e3c6f81e4e50da8a8786c0a795a6db5050c2e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea2fbca2089c57d88f13e753d4de702d

SHA1
ad77d1129f0739e3d9fdbc59a84c70d439f729a2

SHA256
143fda9c3bf3383d5ac9f57c1c4fe61ea1f7c4dd03e4ed4973d9307fd4478501

SHA512
720a16bfbaef1d35ee1a82dce33ff8ec52d3758db9391c7128ffa715b5915ec79f98a5b2ae2661c10bd345883dbb9cce642c3e27b8824faccab9794970ccdb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
fc6c744fb8f6919f317833c43dae32e1

SHA1
3b1393ecebdae2940f9a7a0aead4189b6804f560

SHA256
24ac5865f8b390813f9faeb8ba1717a2e5fd959e6b8bd8b71a079a72469a5b7b

SHA512
271f64fd02ce67b76b47951aec47a5802bd6f1a611d2ef0d9af6b182613ef8d7fad6929dceed5893e68afecd2fb03926c6539c962a1f0dc804d015f53890ab21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e2872c6d86d28bd31b716c58b5d1e75

SHA1
a032e602de88de920d80deeebd4a6a9ce6af12f7

SHA256
287b9537d99a4950a0b61e6808029a6e93aa76634cc11d1c8a13c69b5ef998c4

SHA512
801d0b9084def580feff838611a26ab7f584b96362a409f00e7b5b63e53d20267de2ebd21d8b64646c8e524efb2566ec7bb8b636fb3beacdde7be3d4ca9bc33a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
434ede79176d2f7fc89dfebc4ba2568d

SHA1
ea10d98e8d7dcef39ec9d354591cd4d35b957e0e

SHA256
3172f14437c146fa750b6a671b8bf14c0bab032daf5e9c6025daf2b5fa7f58b0

SHA512
128b13b0ea15f04a1943f87ba2885359967d3baab34984e77d5654958364129a1c28bff337c0b521b29fff5b9d70d0f546f4dd4b898400d796a57c6d20eae101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1de692c0829263edb82e479c5793f6c3

SHA1
f25bab2b366a37239bc4d9502a6d94a67b6d086b

SHA256
7e17d8187186af8e2152f6251f0400666494ae118bfbc6e2b2203f81c96b908c

SHA512
eae02a7885271e3a172664ee4bd6be2f28c3bc549cea11b76a1f160817bb0895e90421516b2d5866d990b097a63238d078c7e8cf2ce35158597d564c0d8ab43d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d4b5.TMP

Filesize
1KB

MD5
da5a613dfd120307f27b073df4132fb1

SHA1
95a830ddab5e66ec48093035431bd0bf4b9ef61f

SHA256
d7f1199c201d7e76c52e27d5c771cd8d48dbcabcae70d9fc74921e0dee7cda4d

SHA512
c55cbefa126b9fb2b739bae64979c65983889a34f3354b86110344639e5c30f7adbc71eaea8e39de70112dde616b636dcef96539cbe71a0fd1c9eb69bec08c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\db8d6e49-9774-4e33-abd9-df6da65851dd.tmp

Filesize
3KB

MD5
c9e1854bfa042efb02859056afb11eaa

SHA1
814883133864b3df5242f802d389007856696817

SHA256
4ffa904b4bf3118fdfd9e6283b348b51de53ec9b933c917350f57dabbf51b045

SHA512
f1dca8f21edb8caf6f2a90e73b39a7daad3a78c82f59faf05dfeaf11ff56347ec33198b0f298786f180ff67f88be9e4d70739d5b835e93db1f553aa2a9b0b8b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
deede2d632369d5c0f95fded90906268

SHA1
63512bb1de4bf199c94eb66bbb504f8621814d79

SHA256
05b05077218b3fb6594f5b9de1b312ed8611620d20acc102e0e9b74c918f7c87

SHA512
68ba89e0b8e7b043ca28f6cb8554042700e159f5013e4f4bb57eac743bde307cb4698e795f8dd7a9d8a9c9e51160e2b5afdf58754cf446fd7b28a70e4af8646e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b2108d713d99763e17b5549ab7db2ed

SHA1
41bcf126932dc5f1597e0a1e58cbd039691435e0

SHA256
76538a65b16fb040020f3d57a1f56b4928be35967d41f3dfc92ef77f49b8a2c5

SHA512
9ca4619867a94a25fa19ab72831823f31e58a05fe9fa08d8f61a9f44e2e959aa291126706dd17476f9f35913fa058621d2740112ffd809a32778082e6fac68a4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 174908.crdownload

Filesize
78KB

MD5
f1f47d4cd19d07ac078ed5f9a51ff46e

SHA1
8594a3d64885e3544434abebb2a3c199130a332b

SHA256
0279834e3a8560616fa6078c8691b970c3f7fada6db8878b9d62a2570b723fd1

SHA512
50580ee4dbb17141542c54baaf876e4c4a5648bef699a1bd170389589bf6542ab8c19b7a4168c710dbad72799783d2391bda39e702fb15debc5fde8fef84899f

Download Submit
memory/4864-276-0x00000286EB870000-0x00000286EBD98000-memory.dmp

Filesize
5.2MB

Download
memory/4864-275-0x00000286EAF90000-0x00000286EB152000-memory.dmp

Filesize
1.8MB

Download
memory/4864-274-0x00000286E88E0000-0x00000286E88F8000-memory.dmp

Filesize
96KB

Download