discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/

Analysis

max time kernel
168s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/

Score

10^/10

discordrat discovery persistence phishing rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMDkxNTk2MzY0NTg1NzgyMw.G_dDaI.obqAg_BaES65U2WpWaJg18f_FO6zhgVjdkebyE
server_id
1302395575454666833

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
A potential corporate email address has been identified in the URL: currency-file@1
phishing

Executes dropped EXE 3 IoCs

pid	Process
6064	Client-built.exe
3740	Client-built.exe
5772	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
73	pastebin.com
76	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
5012	msedge.exe
5012	msedge.exe
5100	identity_helper.exe
5100	identity_helper.exe
3872	msedge.exe
3872	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	6064	Client-built.exe
Token: SeDebugPrivilege	3740	Client-built.exe
Token: SeDebugPrivilege	3220	Discord rat.exe
Token: SeDebugPrivilege	1948	Discord rat.exe
Token: SeDebugPrivilege	5772	Client-built.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3560	5012	msedge.exe	83
PID 5012 wrote to memory of 3560	5012	msedge.exe	83
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 4012	5012	msedge.exe	84
PID 5012 wrote to memory of 244	5012	msedge.exe	85
PID 5012 wrote to memory of 244	5012	msedge.exe	85
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86
PID 5012 wrote to memory of 2716	5012	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/Discord-RAT-2.0/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabf6646f8,0x7ffabf664708,0x7ffabf664718
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6065720391951522009,12201967065362630617,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4060

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4936

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6064

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
423fef43a61412fa14e9f5a5dbcf1c3d

SHA1
8f56544a11c913a68d55bb343a54276eb1038bef

SHA256
26840f88d9c52b31e9d179d33d6868d6d57ab494ab2a0472e65881bad6e0b5fe

SHA512
ae57dec33cc1c002518769583f3a6c5bdee7d2acf4864c47c850016b489ec85c2aacc804a8bbcfa53f87722b880f9f7b0bd61d0398e1d60772632dae78e14564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8fd35c20341e4277a93274a7725a6f30

SHA1
d8fabefe8ac06f29f7d12082faa8b3d1c3dd3d9d

SHA256
17f67388637f1a620d2f9ea547fb711bb9060f5090a5580475c056d73aae6a42

SHA512
061781e24bd0dace0f2d10be0bd7c5b5987f78b2ad4e0b775ea2130a5d7c2a6f3ddb45b2ced1061ef53bb4552cab55e2b32bd5204dc5c9905b972e3c4613f37b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d4b0cdef8ee1788e3b67a4aac3e19b00

SHA1
8740c0c6826568036249d2890d992f4014f1f532

SHA256
cc8970c8d6b08efe45e63291fab189facc3f0c16cb67ea23d983f7a6db968ae3

SHA512
1257063277af1704e1fc7fcf2969425cbfea0b250c034970e43a365326c1e88b5763f115f9b12c831c6ef6fa5f6d024179047156157ef1fc94646f7f5294ffde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
d7215a03452f114f3df7a6a728376190

SHA1
f7daa9e27c71ad1bc83db8ddfa4830819b7f81be

SHA256
70ac92a4b1beb653065913629c9cabbba9755a7f8f6f6d32fc0381e82813e30e

SHA512
d081201363dd1963972d194a7bdfe2b6a802c69de6a13ff4b6b86239835194e7cad5616767c475a8b8e1d5ce303b5276ec52f189954138ab8fbf2ed19bb2ff56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c7c4e3363552c65c1ade6adf15c57ff1

SHA1
e744d6c39ece3fc1990b878d7b7a80ef05a64d0b

SHA256
a67039bc4fe0c8b6ee6b48d832f69107ddd21fe873a5d6b9d1b26d7444e116db

SHA512
8d129af7ad7c43333a81e42110ac0cbe29b531a31c1142e1a89b96d0534b269fbbdd33db6d3c6ac3455b38e134f92fb4011eecf4f9e8df9cde21e27720483d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
65cc433e05cc2564e3e172712ff92d02

SHA1
0f2bc7fcccebe2865970fff59745279ae5e6a267

SHA256
f47bc7b7fe62eecfb431d9e94b3c9e0596f40979f4d61f71067f36162577225d

SHA512
1766ab26069f80ea1dd42b27bbf2d96f36da65f3da70a2cbde99fadfb03bda3c06294e4a6ef21fd12d1f5c02707cd513f8545f142101c41dcf6a40ccd6b14899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4911360d9a69a61ba90e5b22c9e239b

SHA1
2d63f2cd275458e4c5030381ac865167674bbd9e

SHA256
ec955345ddf2396f62dcb059d65d887676b0adec236a7564299a1a7cf0422bf9

SHA512
85db662b77ccee4b79c7fd42f152ee52a61e1415fc5a194dc8343226feae8ecc7fadf1649b7745380c92cce4d26c163ffdf08ef32e33c489e3d48d0d50f7c19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5339cd1d8d8d4d02bf1ca030cc5d8f7

SHA1
8cedbb283cd5615bbb19c03adca80d17b8808b51

SHA256
2aeaf69ae4039882c9e8458c48ee48da621952e52c8dbcf453f1dbb4e31802e5

SHA512
bd18f23931eef93ab55a3c93ab21541278e16b28ac9c6e12459a2188ecd92b5e49d46135aaa99a35fe5fe83cc7a1ebd5fd2f4515d702bbd9a55d95a9c73c383b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3b33074435453cb0ff9c564272e8abe

SHA1
a47b07063d37d7ab68d0db01e93e4e795a32c03c

SHA256
7526970054cd4f3d7bed90f2b55f8899898497a708e51503b52f709b37a2cd2e

SHA512
b3f61b439c5feb44b5df78275100aaa8f80cf87547259e07693176aab9efd825ad1cc47fc47861b005f830c239dbc2c2b49bd9037fc039119e86cce4027d261a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8f4ec24b890a76eaf5d330cd1414fe61

SHA1
2b9ca34d79d6d75de820539b4142fb0ae6b2d918

SHA256
f6b0a81874a0fb2f4f5a7b7ae84bd9143e7eae93167862ce44804199a4e7f327

SHA512
9bc6691c63f493b0f60664553082c9a6ddf0db9d2c4facf0e16f70f28251ec4fd1345a4389af61d1f3b61db3bc78697d4a94bb508ab0ee02d9d46ad29ff5a368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f917d6c44aeb4f3381d31e376f340107

SHA1
6e528be94f8acf27a138b7eabf856e0e5830725f

SHA256
57fbe2848f9203f54bd8154d4d80189e70cfd6c56c9a63e4e3533e38898e1129

SHA512
6e544de477b16f4d458ba98a0acbcf314cc7630096887acebee6ed289a21e7065dd8c6c67fc57ccb376c75da53d99fbf924dc20a2be42f85b3ea61c8bbe9c9a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
37f4d6d789e3b089b05ba1465fe98ed5

SHA1
ab4c22ceadf6ac106c2b56e6224cb45489f70142

SHA256
54d6a97708917742d1ffce57b564487c66fec0e030d074c881fdc54ac7c0831a

SHA512
ed79e5379ac4c46cec9fdeceea0375165e0ef70bad8b4bcb28aaed093888e70a65a3d7a881391ce9a6e2189de48d5fac194112adffd2a8c0d98cdf2baab8df25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3a1e73d1c0c81946487949beb7b757cf

SHA1
fab89a4df6fd8588acb038c8ae763d8df3026af4

SHA256
70d265efbf9b4ef4065b86a7b0604dc4a2baa5e9bf8ab3dc6d00d09f404e1706

SHA512
705a10b10a7d26f835e9f5e5ad8e1d52afb32ad69f340c733aa77f5836c5142682d526faffc644f6adbb2e9c93d7d91bf4e6d0b316935bbed1ddc9ead3ad2dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5b628e8266a495d8acae7dfaeb4d1699

SHA1
72f95ee74eb98eb4780606f8821924e28fc8c27b

SHA256
13bf60eb527b5a90610d6c250646d6d8bc9f97e88673ba0c97472f879c242905

SHA512
9ea5cfaaf0285a06170fc6c04da43cc338ee3710fff3a9615ec868b0692fa47685ef03aec93a64c74f212fe4f524c0b3e2f02a9b61e829393a67ba535c0d9217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bdb9e42408c2622dc83ab32a477b7a11

SHA1
0a5bb21a540eee1661e0e88c6b24c1d3b7b552e0

SHA256
ad41f3feb4f59d3c6e5d9d64b7b350ccbbd3cb841468bebb123a5f4e0df4ecee

SHA512
61cf78d169664676d3c6058cad11f01d5a802b94f77a372c5c2c334ffd5e428d6d6d567ab2e92e35b8250dac1222ff8abf69789d4df342faf66ea59465e19f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3d0f3a6aa5232fe1370010981555939e

SHA1
fd26349b2ff9ec88bcf36525318d6a4d0b68ccc3

SHA256
c852bac37e09079372ca086e33c56f99056aafa3a705eec47058d51ad47e4605

SHA512
b0e67ce1300fda620277294ebf8e40443249f16ce05c2f0afa368a4835c7ddf80db9ce0af2574e181b0e1c288176732d76b1e7a6de34251e87b8efa37dfcb108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d522.TMP

Filesize
874B

MD5
58c13269104e5165f107a6b5079a92a7

SHA1
7987053fcb082c3cb256bce746bf74adf58d89b7

SHA256
7d568927d3122b16cc3e5b11cbaa4109c51bd1eb9420e7cd48849c1d07392b90

SHA512
2b861439d6e8c0f20bd826c41638deb63e457f8eda6e15e8793808cd4e70d6583d3c26e908fd8eefbdbcf0be29c32d109ee2cc965b18ad6a019ab66dcfc96945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e29ce0fd040b54f4b9cca60999e6f2fb

SHA1
cfe93803447108b6542e440541610942f81554e2

SHA256
518cc7428f79e9a81a3f675229b65d5e2375dae778bb2cb133c18ce7a242da54

SHA512
c92cc60a2d97a7f6f1a08adb7caad2b52b668b4ea8b20ee7547893958ca6c345272ab206776c4d31328d8497490985cd42d7c5d6e06fe0c1202b3a91fdd03a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d278383d6c6522679f3da3906cea6d9

SHA1
482d7182cdc9fce748c98e2af6a21b14f1c79122

SHA256
e82dd838f51d39d0319256823fab6e5e60b5847a34dc90cfbb5fa2c1e0fafc3d

SHA512
3674419238d07487110046cdf53da73c0ac952c6b2fafc7e213a028e06787eae7fb4b5a0b511ced197154620161935cf9ec21aa5f69329605a3815d4d2568bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c909b211e7626f962da874211b080849

SHA1
e48cde2db574d8abc9f0d4ae5101da7e8ee21aec

SHA256
f85d64c2a7dd1798b2113db72f997992266884765d6f4824b6525ab9ac3b2faf

SHA512
8916c758b15c9e3517a31a7d4be58b7ad717946f313d2dbef82524061cce42a0c2d48ba1b25a1b4d2f2fd958fd39fd4aa8a52f8e18ed835d5c56f5d36a79bd95

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
28ad9cdccee06fbfd57e80c02f35e161

SHA1
0eae70adaa141d4ea66364b17131dee8b5af5038

SHA256
81c75d84ba3460ba6c5eddccbd3e03e8712bc6153ca545b9f9d291213a522cf7

SHA512
4e0b78204d10fd4de44a04d71a8e661e214ca48b71a13073d1ebbe8459f72512cb44de41ab7f6376ed69e8e7d636e6a6c133deda5bf895a4a587f28432c2faf5

Download Submit
memory/3220-516-0x00000281EAEF0000-0x00000281EAF08000-memory.dmp

Filesize
96KB

Download
memory/4936-222-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/4936-221-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/4936-220-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/4936-390-0x0000000008290000-0x00000000083B2000-memory.dmp

Filesize
1.1MB

Download
memory/4936-223-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

Filesize
40KB

Download
memory/6064-405-0x00000130FBAA0000-0x00000130FBFC8000-memory.dmp

Filesize
5.2MB

Download
memory/6064-404-0x00000130FB2A0000-0x00000130FB462000-memory.dmp

Filesize
1.8MB

Download
memory/6064-403-0x00000130F8C20000-0x00000130F8C38000-memory.dmp

Filesize
96KB

Download