discordrat | hxxps://mega[.]nz/file/0PNWSZqZ#UjgxJ1-tr1_7eqpE73tUD3kNN2RnS4SrnKVaYdSIE-Q

Resubmissions

09-12-2024 20:50

241209-zmkzzswkcl 10

Analysis

max time kernel
147s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/0PNWSZqZ#UjgxJ1-tr1_7eqpE73tUD3kNN2RnS4SrnKVaYdSIE-Q

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNTc3MjYwNDIyODk2NDU1NA.GLJDUi.35OkPShLzZToHO_MZL3sqv284uCFrDue754vyU
server_id
1315656350730162187

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5652	Multi Tool (for games and hacking).exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
90	raw.githubusercontent.com
91	raw.githubusercontent.com
98	discord.com
73	discord.com
78	discord.com
92	discord.com
93	discord.com
95	discord.com
96	discord.com
97	discord.com
99	discord.com
74	discord.com
104	discord.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241209205020.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\85765c5c-bf1d-494b-acad-4e7eedbae075.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 182657.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3764	msedge.exe
3764	msedge.exe
776	msedge.exe
776	msedge.exe
1496	identity_helper.exe
1496	identity_helper.exe
5460	msedge.exe
5460	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4048	AUDIODG.EXE
Token: SeDebugPrivilege	5652	Multi Tool (for games and hacking).exe
Token: SeShutdownPrivilege	5652	Multi Tool (for games and hacking).exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 764	776	msedge.exe	80
PID 776 wrote to memory of 764	776	msedge.exe	80
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 4536	776	msedge.exe	81
PID 776 wrote to memory of 3764	776	msedge.exe	82
PID 776 wrote to memory of 3764	776	msedge.exe	82
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83
PID 776 wrote to memory of 4112	776	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/0PNWSZqZ#UjgxJ1-tr1_7eqpE73tUD3kNN2RnS4SrnKVaYdSIE-Q
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7fff035e46f8,0x7fff035e4708,0x7fff035e4718
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x268,0x26c,0x270,0x148,0x274,0x7ff74d4d5460,0x7ff74d4d5470,0x7ff74d4d5480
    3⤵
    PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:5476
- C:\Users\Admin\Downloads\Multi Tool (for games and hacking).exe
  "C:\Users\Admin\Downloads\Multi Tool (for games and hacking).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,13571245053275918916,12615613834060887270,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6628 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5900808c41169ea6195a92d04a860d56

SHA1
bfad5b4d9a1decb5e6f0baa16309ba8f90708d95

SHA256
007f553f1d762362be2bc74f9c9dd31611a1cf7e64fa4760ca9270484a24a33f

SHA512
a40b20d25608f69dba55b20a62fcdb8f0d1d099415372b688490617050e9170695d45cd59652933cde4e08f427a6d754d97843abfa7828b174737508d14fbefb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
2f2d960be6e50f3eaf1aafc4ebe084fa

SHA1
69212b8cc636be258805b99436fd47cc60839355

SHA256
25823474967165e6de023cf0dadbfaf124f41362d83ced66daf9fe28bce36872

SHA512
59c06a990704ed10eedeaa83c7c0f6a03de0570f6b4b5e48e247bccbda15282fc8c5db77d7a455cf329c2cdd66ff20f8e85821de183594fcd50cd5ea24c6af76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
2af45267beec0d905b81baba591e58e5

SHA1
d7ebfa1fb16ecc563901f0fae767b6ef7f0976fa

SHA256
7e8a74a7009899f8042b98847e1c8d967987bd2f323267b881dc8b0c0fd559ff

SHA512
614f0f2e87ee3a9b05c22d6c420daf601e9a908a7724f4325df401cc01021d1106c71867c0fc5ebe9829c48c046e681ff446e7bb94aa4b04d246cdec1ede4c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe587bf1.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17bb3914dd69cad6d59f55fc3b6dce9a

SHA1
e31d230ff8c3b2a0675c457c5054fc2606e3e348

SHA256
66c01dbbc29cc8ea8475f2b8e35bdf8f13242d1a496fbb1b08982e1b8676fcd5

SHA512
c95cb341980b50951a799534ee133294af3dea5a8ba57f823d0fe6e43e1df361aadaae39282a998a8a713ccbb49ae8014e9d9d4a30d066d086f53143a3a559b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b399cbaba4640d0887c201df813d3f2d

SHA1
a5200b1ae45a11cc4c7ae2c5430ccc3721670505

SHA256
09eee8be06b389b009718e421b5e33b310d57ed924e8d1dddd1230fff1a8b18e

SHA512
a838c031f5860a5ebc56fa613e265d7ddd907c51d9d67bc81db707a528202d2c8af84f15787e490a52da5c2aa616c654c700919bf78ece43f55b1013b0a48417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
96939bc3507edb0a5f44ec92b9567216

SHA1
d3891bd65bcfb543f3c3b2dd9fa2d738fa3aebf8

SHA256
042e3ab666eb1b36d2ea81a6e516b0988d0babb7ead437163312d0e833b7bb51

SHA512
3e120eac21917609b0b1756d79c801ddbc181ad9f379fc41544170cca8783d2b8761a9508c71942e9bcdd7748cfa6d448e72377aca13c9c2a16b44c14065a91b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
473ae9cd57ca6362339c04871f137f85

SHA1
96b58171f97022e27f6576859b6ffc80788861c3

SHA256
adb4aace43a656e31a9d2564be6b8a76b10b6d7c5b800dd0c3f14ca7fba1ef80

SHA512
0efc590b3927badf1d4c846943a3f5205cba5e621a1cc3667f83604e8cc7c9c35590cfc1c815c199d794260b56aa7cfaf8ada8d731e9e66195e5bcf61cfca206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
031073be32028dbccbb254da02b3383b

SHA1
44a87359b4fa40a59e72383b9016ca136b8a28ae

SHA256
a913730c7bd3e82552b15cfb9d9f1adb21d57aed9ea137c1ba331f9886163f3c

SHA512
97ee9aca1fc118ddb7b1ff69ab9395a118c71a3fa308b076c1957432ca3a12c01678466ff80f902ec6d4a0625a0af4188a3fe9d4d10ec42fe38ea826ea75383a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac2b76299740efc6ea9da792f8863779

SHA1
06ad901d98134e52218f6714075d5d76418aa7f5

SHA256
cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

SHA512
eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d73c2c53baa38e567289df2d7f5f5f49

SHA1
8d3d0ab9a356c0190f37fef9462eca932e339abd

SHA256
0b94f14520271009f21e2ce71255d3dc2d60c315396f3c387acb2ac87f4a3018

SHA512
eb8d2d4228f6b7671f3703e0d052c774c9c6445b25fd119212bde59a78fa3b2345ffd56b9cc21bb292f05dcf4e5404d00f0e6200be74eb6385fd45d86b75b48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c94b.TMP

Filesize
48B

MD5
0aa3c2bd85e3bd9aad529944ee98e0f6

SHA1
cfcfc3fd506d9cc61d2f5e843536fb06d907a70a

SHA256
9e9d462ea95e5c8c20c7eb1d0f257c8e9ecdab4ee059472557b2d2126f0e0516

SHA512
423e2037b416e93145cc676cf19d4f650527e7ad92957f82a3fc02c99578564b914193e49dea044af391d307a432a0c632248b53064ceb9ef16b2c34a522d235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
03c88b9c0576e54e696d8750c07b87ed

SHA1
5be0c70a4ff62b486723658656d18093476d370a

SHA256
bd2acd2fafd0d7bf2d305d6ad2118cfb1a088d435684667644da5d0845761b5e

SHA512
6a2863e10e1c2952d15adfe11d1917a7c6219ae3e8e8fb666991ccc3a278c57b047ab370816f3e22fa9b46c838d1b1bb9c3181728884aa0f26c7272ff9dde1d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
193e4a428bff1732c7901fd9eb76b7a8

SHA1
b0b8770353fdbb2c384cd140374c43c7cdaf5947

SHA256
6494197f56b66a962b8604bcf0adab607c148f754014e0be402ddb904ad4e5f2

SHA512
e3097e4239e8a6ecdb16d2a475fe6f4ee53396d29d9e3729cfc338a4198eda0977eac0e090a93a8f692b6daccbb52b98bf97eb34b020e9a0cab9315b8a31c441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d8f96be3a3605047c20787c01dfa3fc4

SHA1
1b8764ae4cc6a602faa02bef012b95d2422c7b63

SHA256
2c23ae2c3697f77348a675ad07362ce4af3c53abfb07d79847bde8aead5910bf

SHA512
ff0cd7c49da507e0240e58c225bc3d5c7b01bf9381621d884ba1a2489fea5dc64afb7265c1d2c4988bcc9c69e01b7a0146a5c23e237b2fad6ed5803f2118664c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b13ca927e902e16e9da7302a7b1ee3f9

SHA1
94dca4b0573143edc7aa0328500ea7858ebdeadc

SHA256
9d8a7b08fb689291eba594b77fd47ed0beb9934476cf149a752d165768d23271

SHA512
856853fa915408ca4c7aea58f56c57c4f9e08a8509f2c14bab8ccd82a5c6b097fa8ff28804f06319dcca20c241792e331fbdab42b9d3376a938e8388a3894234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_5CFE3E28B6B649B2B00D43EE8A312E27.dat

Filesize
940B

MD5
47b0f9e3223c1cde134a3372f621d4a5

SHA1
fd633149d1dc14ff2cb4869746d6f069b0e3d727

SHA256
64df341c8fcdc027241b53c980ae1c1d49e74e44384d815d0d5bea1af7093d46

SHA512
910346542280687d8b4cbe1ec17d6a0f6e1106b2e634a6b8482afb052e7f9478ff5b8b8917bfb440a57f17ee040f42b148686cbd025aa8e8e391be6589f0f03a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
50f0a0aa01d4f8c0fa7a8e74e1a3f3e1

SHA1
e866626b241078733f6733b91aae1badfeebeb74

SHA256
a4a375c38058235cd3dd30f0b009a3da7269db6b136621d574b5ffb9e25ffbf4

SHA512
3baa9a51305cd955f04461ac76eeba7c9305dd07c8976b712f7453594481c0b9e5e273cf2b0d12d86948ec95e595ac60e57736b14d679d4035de7b247836f303

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
94faacf9c0084243c14102c99ecfd7d6

SHA1
209da76ee6d1f055c8b271a610b6d43ee172698d

SHA256
12299a539dafb083dcc3303b01dc71f72380695cb033d99317db6e57fec992e9

SHA512
36a8fbffa3a94a6efc0e9e2bf633edde016cbc05408b385bcd703322603401a1731041cbf75baf3bbe3f297c99e96c9f0195d6c82cf897c124087be4c477bbe4

Download Submit
C:\Users\Admin\Downloads\Multi Tool (for games and hacking).exe

Filesize
78KB

MD5
3084ebe426bc76985df22ddc7382b471

SHA1
1bba6613ea5ba3089052594e53526c5a2896c946

SHA256
a37271fba34d6c3ffac7b8ba13d06fbbe4d9f493a22d61645ff62b1404d0afe6

SHA512
875ab1abc1377d67821ad76c7fd169c0f243be3025cfd669148509d7afd604ca46232908d35f81254f620190bb3bc9260097f42655614657b5687a577a241a84

Download Submit
memory/5652-358-0x0000013B69BE0000-0x0000013B69BF2000-memory.dmp

Filesize
72KB

Download
memory/5652-359-0x0000013B69EF0000-0x0000013B69F0E000-memory.dmp

Filesize
120KB

Download
memory/5652-380-0x0000013B6B4B0000-0x0000013B6B55A000-memory.dmp

Filesize
680KB

Download
memory/5652-357-0x0000013B69F70000-0x0000013B69FE6000-memory.dmp

Filesize
472KB

Download
memory/5652-350-0x0000013B6A420000-0x0000013B6A948000-memory.dmp

Filesize
5.2MB

Download
memory/5652-331-0x0000013B69C20000-0x0000013B69DE2000-memory.dmp

Filesize
1.8MB

Download
memory/5652-330-0x0000013B67670000-0x0000013B67688000-memory.dmp

Filesize
96KB

Download