discordrat | hxxps://easyupload[.]io/nejl7t

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://easyupload.io/nejl7t

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4MTk5MDk4NjU1NzQyMzYzNw.G0LdLE.tmzmORfjq49iFHezK69dMPqSZbd-AOH6RzQ2bo
server_id
1281991592340750336

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 3 IoCs

pid	Process
2504	Rc7.exe
2408	Rc7.exe
2640	Rc7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
1267	discord.com
1314	discord.com
1219	discord.com
1220	discord.com
1224	discord.com
1266	discord.com
1263	discord.com
1268	discord.com
1270	discord.com
1272	discord.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\Costura.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\Dragablz.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\Microsoft.Web.WebView2.Wpf.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\functions-krnl.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\modules-table.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\Workspace.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.es.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.ko.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.zh-tw.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\Instance.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\libraries\debug.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\Microsoft.Web.WebView2.WinForms.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\EnumItem.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\lua.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\MaterialDesignColors.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\runtimes\win-x64\native\WebView2Loader.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\autoexec\autoexec.lua	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\libraries\Krnl.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\globals.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\libraries\math.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\functions.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\libraries\task.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\params\DrawingTypes.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.css	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\MaterialDesignExtensions.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\Microsoft.Xaml.Behaviors.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\Enum.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\Model.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\runtimes\win-arm64\native\WebView2Loader.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\settings	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\loader.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\runtimes\win-x86\native\WebView2Loader.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\modules.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.de.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.ru.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\Enums.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\libraries\Drawing.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\params\InstanceClasses.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.fr.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\Microsoft.Web.WebView2.Core.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\base.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\libraries\table.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\params\DataModelServices.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\snippets.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\monaco.contribution.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\base\browser\ui\codicons\codicon\codicon.ttf	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\DataModel.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\base\worker\workerMain.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\ServiceProvider.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.ja.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\BetterFolderBrowser.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\index.html	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\Rc7.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\classes\RBXScriptSignal.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\keywords.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.zh-cn.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\basic-languages\lua\autocompletes\snippets.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\bin\Monaco\vs\editor\editor.main.nls.it.js	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\CeleryInject.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Rc7(Reamake+celery+api)\Rc7(Reamake celery api)\System.Diagnostics.DiagnosticSource.dll	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
6728	OpenWith.exe
6260	7zFM.exe
2432	7zFM.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	4824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4824	AUDIODG.EXE
Token: SeRestorePrivilege	6260	7zFM.exe
Token: 35	6260	7zFM.exe
Token: SeSecurityPrivilege	6260	7zFM.exe
Token: SeDebugPrivilege	2504	Rc7.exe
Token: SeSecurityPrivilege	6260	7zFM.exe
Token: SeDebugPrivilege	2408	Rc7.exe
Token: SeSecurityPrivilege	6260	7zFM.exe
Token: SeDebugPrivilege	2640	Rc7.exe
Token: SeRestorePrivilege	2432	7zFM.exe
Token: 35	2432	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
6260	7zFM.exe
6260	7zFM.exe
6260	7zFM.exe
6260	7zFM.exe
2432	7zFM.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe
6728	OpenWith.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 6728 wrote to memory of 1544	6728	OpenWith.exe	144
PID 6728 wrote to memory of 1544	6728	OpenWith.exe	144
PID 6260 wrote to memory of 2504	6260	7zFM.exe	149
PID 6260 wrote to memory of 2504	6260	7zFM.exe	149
PID 6260 wrote to memory of 2408	6260	7zFM.exe	151
PID 6260 wrote to memory of 2408	6260	7zFM.exe	151
PID 6260 wrote to memory of 2640	6260	7zFM.exe	152
PID 6260 wrote to memory of 2640	6260	7zFM.exe	152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://easyupload.io/nejl7t
1⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4712,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:1
1⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4396,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:1
1⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5424,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
1⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5440,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8
1⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5892,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:1
1⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6040,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:8
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6324,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:8
1⤵
PID:3156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6276,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:1
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6584,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:1
1⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6860,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:1
1⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=7036,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:1
1⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=7208,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7048 /prefetch:1
1⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7380,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:1
1⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7388,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7528 /prefetch:1
1⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7656,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7668 /prefetch:1
1⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7716,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7844 /prefetch:1
1⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7688,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7976 /prefetch:1
1⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7992,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8208 /prefetch:1
1⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=8236,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8360 /prefetch:1
1⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=8484,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8508 /prefetch:1
1⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8524,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8656 /prefetch:1
1⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8776,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8804 /prefetch:1
1⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8924,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8940 /prefetch:1
1⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=9080,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=9096 /prefetch:1
1⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=9224,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=9248 /prefetch:1
1⤵
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=8492,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7224 /prefetch:1
1⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=8372,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8392 /prefetch:1
1⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=8732,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=8684 /prefetch:1
1⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=10132,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=10160 /prefetch:1
1⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=10908,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=10924 /prefetch:1
1⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=11080,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=10968 /prefetch:1
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=11452,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=11164 /prefetch:8
1⤵
PID:6328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=11444,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=11340 /prefetch:1
1⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=10848,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:8
1⤵
- Drops file in Program Files directory
PID:6436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=10364,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=10380 /prefetch:8
1⤵
PID:6524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6728
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Rc7(Reamake+celery+api).rar
  2⤵
  PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=10392,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=9744 /prefetch:8
1⤵
PID:6800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=9976,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:1
1⤵
PID:6916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7028

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Rc7(Reamake+celery+api).rar
1⤵
PID:2872

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Rc7(Reamake+celery+api).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:6260
- C:\Users\Admin\AppData\Local\Temp\7zO478E67B9\Rc7.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO478E67B9\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\7zO4787245A\Rc7.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4787245A\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\7zO4781061A\Rc7.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4781061A\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Rc7(Reamake+celery+api).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO478E67B9\Rc7.exe

Filesize
78KB

MD5
31c11c00f5d8bb1475a4b2ff4501f877

SHA1
1e7fabe004286fcec0dbecae41df1380cb9c2d7b

SHA256
4060fe160e9a0d67314ea84ad1926bac5d56b79126f43418f921245d4f31ddff

SHA512
31662bc158797dc272215222618156c6172ff1c6239057b33d5e2a447bd6901fa6677cf9be4a370bad73399310a59b70cd5e24e0eb04f3701c80bf92084e0ff4

Download Submit
memory/2504-18-0x0000015A818A0000-0x0000015A818B8000-memory.dmp

Filesize
96KB

Download
memory/2504-19-0x0000015A9BE50000-0x0000015A9C012000-memory.dmp

Filesize
1.8MB

Download
memory/2504-20-0x0000015A9C650000-0x0000015A9CB78000-memory.dmp

Filesize
5.2MB

Download
memory/6260-47-0x00007FF9E9210000-0x00007FF9E921C000-memory.dmp

Filesize
48KB

Download
memory/6260-51-0x00007FF9E8880000-0x00007FF9E88A5000-memory.dmp

Filesize
148KB

Download
memory/6260-50-0x00007FF9E9BF0000-0x00007FF9E9C1E000-memory.dmp

Filesize
184KB

Download
memory/6260-49-0x00007FF9E88B0000-0x00007FF9E88D9000-memory.dmp

Filesize
164KB

Download