discordrat | cfd9da2ff11bd55e76125eebf234042c5a06b8743a93717b820622849a2f7038

Analysis

max time kernel
90s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-12-2024 04:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

de442b92fcc6b8a28cd1983f68888dc3
SHA1

10066ba190b0b876fe9d39ea20f67b0c849a1d2f
SHA256

cfd9da2ff11bd55e76125eebf234042c5a06b8743a93717b820622849a2f7038
SHA512

e441f634a8128adb800ce56914750b1a4ff9a80fcd51960cfec5fa5e5262855c763decb4e9cef0aa19282ebceb4dad387b702f8be6a2228e004fca0fa6b91873
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+OPIC:5Zv5PDwbjNrmAE+qIC

Score

10^/10

discordrat defense_evasion discovery persistence privilege_escalation rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxOTEwMTg1NDkxOTAzNjk2MA.GCUf3G.XFcTpUzToj5RvHJaCwYlInhFElu5QcrOsBscOE
server_id
1319102558568058921

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

UAC Bypass Attempt via SilentCleanup Task.

defense_evasion privilege_escalation

Bypass User Account Control

T1548.002

pid	Process
132	SCHTASKS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	discord.com
7	discord.com
8	discord.com
11	discord.com
12	discord.com
13	discord.com
36	discord.com
37	discord.com
1	discord.com
6	discord.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3592	msedge.exe
3592	msedge.exe
2752	msedge.exe
2752	msedge.exe
4704	msedge.exe
4704	msedge.exe
1636	identity_helper.exe
1636	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	Client-built.exe
Token: SeDebugPrivilege	3712	taskmgr.exe
Token: SeSystemProfilePrivilege	3712	taskmgr.exe
Token: SeCreateGlobalPrivilege	3712	taskmgr.exe
Token: 33	3712	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3712	taskmgr.exe
Token: SeShutdownPrivilege	5036	shutdown.exe
Token: SeRemoteShutdownPrivilege	5036	shutdown.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2812	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2752	2848	Client-built.exe	79
PID 2848 wrote to memory of 2752	2848	Client-built.exe	79
PID 2752 wrote to memory of 3912	2752	msedge.exe	80
PID 2752 wrote to memory of 3912	2752	msedge.exe	80
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3952	2752	msedge.exe	81
PID 2752 wrote to memory of 3592	2752	msedge.exe	82
PID 2752 wrote to memory of 3592	2752	msedge.exe	82
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83
PID 2752 wrote to memory of 3684	2752	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6d923cb8,0x7ffb6d923cc8,0x7ffb6d923cd8
    3⤵
    PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:1160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:1336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
    3⤵
    PID:1440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,11249629968550633824,16239018997524836164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
    3⤵
    PID:768
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
  2⤵
  - Abuse Elevation Control Mechanism: Bypass User Account Control
  PID:132
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
c592c71053c9f36a19e0ba0075b1cb65

SHA1
201d0a69d043466d24737b1620403f354371dbc1

SHA256
1c3f43d94c8ca3698315d32162ffb97cccc3b7b5d4f07bc1992e8ddd3ba7aa86

SHA512
0332b4ca5098987fd60f24961324a7260c5ad9556a4bb908513ffe1f5ff2c0a235a389e3b0214e4da7c6c970c3cf462707242f3868abd4d4bbd1fbd69d13b05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4c4b3276ad3ce72dbf8766e429d0128

SHA1
9d7b34f03c96f6c980a5a86ce03167bdfdb52a1c

SHA256
422e73d73b27ae64286433d0d2c05120171088fd7b5eaa8d3b7cf1f73ed60248

SHA512
2e5922cae48805f6159fbeef1c65e6c04ac2664bba6efd54f1c37445b700f44e742fe896b8cf1e3cf8e1a6a64a7cdced33d5c47d2930a14a76d059e36e239ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fab02bbf586f9df7c1baaa773fd6d5b

SHA1
483c2a62ce74266ab4afcdfd22ddfe55f30a5a27

SHA256
70375b1fb9a9c5c9b2ecee9e4ae72296ad9e5c1352ebaa533d9c20e1a56735c7

SHA512
28a722a714a3a0d602adfb91ac9148284f4410aaa96242d82e0fb5b444ef168df12dc1001eae322618fafc3ecb2330c89f2b0b448f16c58fc2664eabdf9574e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f477c75a65659ee87188862696fdc24d

SHA1
15cc11f47738d52e995ba970a92986e659291de4

SHA256
f8f39eb8c8ab7e166535e79497f1d3e4b13ff753f1ba52f3c7ad7ce8e61ace45

SHA512
a9c10277f2ead5e9828a5be8a6a96d1c9f5b2db5753bd81ef25974f5c6c6e3398aea5ff6a9acf0e78154be2f619d07875887d2de7ca346f3fef66d41bbb9a741

Download Submit
memory/2848-3-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download
memory/2848-4-0x000001DB56E80000-0x000001DB573A8000-memory.dmp

Filesize
5.2MB

Download
memory/2848-1-0x000001DB3B4A0000-0x000001DB3B4B8000-memory.dmp

Filesize
96KB

Download
memory/2848-2-0x000001DB55C00000-0x000001DB55DC2000-memory.dmp

Filesize
1.8MB

Download
memory/2848-5-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download
memory/2848-0-0x00007FFB5DE53000-0x00007FFB5DE55000-memory.dmp

Filesize
8KB

Download
memory/2848-131-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download
memory/2848-19-0x000001DB55B80000-0x000001DB55BF6000-memory.dmp

Filesize
472KB

Download
memory/2848-20-0x000001DB3B9D0000-0x000001DB3B9E2000-memory.dmp

Filesize
72KB

Download
memory/2848-21-0x000001DB3D2C0000-0x000001DB3D2DE000-memory.dmp

Filesize
120KB

Download
memory/3712-7-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-13-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-14-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-15-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-16-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-17-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-18-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-12-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-8-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download
memory/3712-6-0x0000012E64CC0000-0x0000012E64CC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads