discordrat | hxxps://www[.]mediafire[.]com/file/300cjy4oqa1dsme/cheatyvalo[.]rar/file

Analysis

max time kernel
731s
max time network
739s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/300cjy4oqa1dsme/cheatyvalo.rar/file

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMjc4ODQyMjE0NTgwMjM3MA.Go0el1.kkwLFm7-A7R2wXFWacK-vx4OLuu602TqV4R8_s
server_id
1322788342886174841

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5212	cheatyvalo.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

flow	ioc
220	discord.com
221	discord.com
275	discord.com
172	discord.com
201	discord.com
211	discord.com
212	discord.com
214	discord.com
198	raw.githubusercontent.com
224	discord.com
227	discord.com
173	discord.com
200	discord.com
217	discord.com
218	discord.com
176	discord.com
197	raw.githubusercontent.com
215	discord.com
223	discord.com
273	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
1888	msedge.exe
1888	msedge.exe
3164	identity_helper.exe
3164	identity_helper.exe
3380	msedge.exe
3380	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4740	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4740	7zFM.exe
Token: 35	4740	7zFM.exe
Token: SeSecurityPrivilege	4740	7zFM.exe
Token: SeDebugPrivilege	5212	cheatyvalo.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
4740	7zFM.exe
4740	7zFM.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 4420	1888	msedge.exe	82
PID 1888 wrote to memory of 4420	1888	msedge.exe	82
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4920	1888	msedge.exe	83
PID 1888 wrote to memory of 4916	1888	msedge.exe	84
PID 1888 wrote to memory of 4916	1888	msedge.exe	84
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85
PID 1888 wrote to memory of 736	1888	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/300cjy4oqa1dsme/cheatyvalo.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff911c046f8,0x7ff911c04708,0x7ff911c04718
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4145917247644675098,15271001834642385674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2144

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\cheatyvalo.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4740
- C:\Users\Admin\AppData\Local\Temp\7zO482D1EE7\cheatyvalo.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO482D1EE7\cheatyvalo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
    3⤵
    PID:3156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff911c046f8,0x7ff911c04708,0x7ff911c04718
      4⤵
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
16b022750f56ca2b3e1aa35d2ec8279f

SHA1
5127ad554c768a9b227c1681c7922a9f70b8cee5

SHA256
5eebfa9910550874e6bdb3c8da3a95fe339dee9a02deba75ac6923047655674a

SHA512
1b440c37d1ac0d726338c783107b7294ea174824794dd1736578316e6b873ec90071bd19c3635ffe3780b57491ce39fce17e39ec1cee36434492a1bd1ad977b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
222cc1967df46edb085bf224f6215813

SHA1
2f8f24ae776e67ea211b16fad65734f6a6fb4cd2

SHA256
204e740ed36418feacef970a1eb08096d9e850dfc12dd2bd7013e5d9b7d0ba65

SHA512
9a894c9d315fa598aa2490f5ec9b811d96f9071019955d561b6113dcaecd8a087fa8771647fc935d3d11df9b130fd6f7b760d00755642c31ce19bea48373af6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
06618ed941d6432bad06f17c2702236a

SHA1
4fe51f52d971929e9c0cf1c635d04f0a813036d2

SHA256
a55d96eebcb53e3f0936ffafb75a2df00cdd6a5238ea8e5f1115297770a5793a

SHA512
5357a8773326586b0cca90602aa067065fe70d9d23982d7452bef0b061abbd2b504395ad591621e40f1fb54e67c42f52b2191db5a0a1d0cdeb905d253e2786e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
74ae7ba2b427e84116c224154029aec6

SHA1
965b7c11636b960912e8e0fd79751a6a4a57e1fb

SHA256
d73cfbca59e56f7d6bc9122511c69d7154482af5c0dc2bf449bc10be8e2e030e

SHA512
57a6141af2b29fe7500bee8cb8afb0e4ad49d472de3bf1923538a4f785cee69546ab1cc1932da47ea1cd88bdc8fd87d8424b00a63ea2c56a361a3d889b062fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
788e8909500e32851c8efd08b48862d3

SHA1
1c235587dda7c2938c1feb9d745be220a3bbe3ee

SHA256
5c78409a77505232c2f3b6a3513ae630c5f8904e0031139e0191d949ec0ec40c

SHA512
228cb58137604fe42326d798689d76d18b08da063c57a6254672416c60278ea6e25b6faac8730d4c07f2968bccff788a89e5cf29a40606afdb19f41a2535320c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
ef7239ff6e87b9189f710e753d943047

SHA1
0f5ce4e5952751fdfb09b01053e3fc4b2eae1ada

SHA256
17c185e06f36dd2d50a01a61b0571eac301390127c9590095988ceff1c176127

SHA512
b0e881799289f95c787a4d9074f8c45837a97c9f5d87e7e91683db7dbbdae7af17055d73afdd7e18167b2b1a2275269d4dcc450f23c91132472ade6337a80ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
42ca847da197a4db221e689bd4af2e85

SHA1
5cf55141616c18d6043f703163c165d450d7a6ea

SHA256
4037a24c4457db21bdd8a78f600d83f5e5e4f47ed7a04f7090a736904b33af66

SHA512
2b63005f2c220e47763c77daa54577261853d93deb719fdcfc1884308e2531a55443e589c4841c3b509eb47c25247cbd3d79cc190e54abc80b8b64c3abeacb4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
506510774209cc45ca5de4c964facbfc

SHA1
32f7c52565d97f57a82a1706d4e82ed24f4208fe

SHA256
7e8cfdf968c7b8d683cda2ed65444785d53b0a577545a16167a032e8aa1e7c7e

SHA512
4b2c32926c57634954d98537867c4e93cb94b8e48f48a10a60fe00b6a49f4d3576255eec659f5537fe906b6a88f9368c591ea407571f4af4012c584cc789fd84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e504c9fa10cc0d9ace296da242d39999

SHA1
baa80ab278bee4199db0579dcf34243569de032b

SHA256
bfe51f162dc0d995c5279cb7165b6228afdefc7ee9c3c33279f700bebc546e34

SHA512
94551d141d5f789d01ddbd0d56fa2b111600c3164948ba0b6925945e4e6150f71409fb71ce0d118bb7cb8df89f0e6b103219d47603549486f0175111a5c8013d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0e20eef4e75fa24a8e2462db3bc50fbe

SHA1
4c731f8217e10d98a1e44fdff4d32a522bb3a913

SHA256
aa94b842f7ec55d609ad7d30445b00de081585aa8f420506637ceb5153310c1f

SHA512
a4d35555c0c51654f8ac8d676e03207d50e18f2ef43122b582dbfd7b24f97001d832ff2d8f8ff2b56ba99ff81020e966e7536078e949255549bb455ff683c4a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b7af34e013f9f788bbaf32692a5286ee

SHA1
26b38b362da53ba841fe9094e991fa7e61cd3d1c

SHA256
6d11fcbdc1c790c8a6f522fe2927bc99db1e7787a876bde70813f54cb3c25bba

SHA512
65b4eb744091733892ac668b9a7c4dbb09dfa18c4a7242d3c52c9f28c0d28bd708aa49d3078cff1bb996610b75aeb732c9ede647e4f3d4b768270f630a74ab3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
602bc1a6f4df8a9b0767b2c8d3cbd764

SHA1
898359ce01076c50a9eb0422719be3dcfd166a81

SHA256
c425c2b4c0ed97db8cc186894bc292dcdaf53ff964b77fd9b749147add7bbd23

SHA512
4a44e38719d15f496b3759e3caed4aea8b6d5eb27e5d06a38ce962efa2c8d6e412d9f18dba0fc39af69662451e18e2d707d45b99dbb91e7b509010ac3659a4fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43c3495ce87424c6840df1f5713a00d0

SHA1
2a5c040e9f54bc168202779f2cb4910bbe3895d0

SHA256
2017dc003a9aba2f8a7fb12759f192ee4da96fc806d697fe52e0574b48ae0d93

SHA512
1efd1ccf93e315c0861459c81b9c8af1d0d8d7cf9aa1bec2422d6053c6ae93d8211797be8f2a192462f99f3a757891b59664a969f35cba9b629e829d9bfd414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d3b03fa2c36167185a7ab3a15f0598f4

SHA1
847488a30a50e8e3073f1b764c56682a27b6134c

SHA256
a6ad034dbdb7c2b6ea1acb23f1d1049699ed029d69e076846a1bcaa712c0cc1f

SHA512
565f7afb36b80643b9a2546fd1b69ae4e314ef12516faf49c0910920ef6b065bd309d1a68268b97b1ed5f86e567d3e45471477ed28312af7de2d0a68a97e8da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe6047bb.TMP

Filesize
48B

MD5
d9387a1344c901520b6215409dcb55d9

SHA1
60c2b3559b941a4e6d263e7eed417c36b5127ae2

SHA256
a4cc5ffef40a4b7313aadd71db564eac070875dbb782a07b528eca7d9a3f1fd0

SHA512
f6f0d4771312a257b990eb5954e51ffa5e2348c13b918cff9ae7da67f6e195ccd2a73635521853c1a9dcdb1de182b3f2d87d124ddd44c363478148e418c5ae60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1141c51514ee09f5e016b9e226c7796d

SHA1
afc6b47a21b1bcf19ab7becefe06e951d0556709

SHA256
40f7e658fdb9a52932c44de2199fc533b69fa10d607f9861b5f005acd7e29439

SHA512
5272227244faf493210edededbf425622ae2eab6fd25278eaea97c8fb2d9425b274448bdcba67b5d2e5ea9af6c3fb1434da4fa74a774f89af30a21d31461004c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe60184f.TMP

Filesize
1KB

MD5
cd1048519454b5edb15aa3409af3f93f

SHA1
f6b290997151b57f2f8eb9aa582844168664aeed

SHA256
4211d8bd97d6d25a91ca0bdf650b3f2563a203eb8edaad4da2d16bec2407b457

SHA512
476d144dd52f99fcdc618270b661cbd133f976156ec06bb6170279187799211ea72f98343b2d9f7a83e5e4240773c5e5edc11de005a3fb3bf2bfb9ff3daa06fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6738337e07d9a0df808ac36417052621

SHA1
6d8d5f7fd9a8f2daf501e7cf4da2903d587f50f7

SHA256
c26cbe9f792c212954bf5ae767bd529f39e3d39e7ea9f5187d1b740b0b914276

SHA512
c0b2ae480b52c32b6714505fa8638566448f809567b1d87d621d5f095ef28f933d621f94ab0762084b33abba98ba05a84550694b6d7e88df937897708fb1d3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f45223af0b701de5b5161593ca8e6e0a

SHA1
416353c12c4e342a40216b851655dd84863e0efc

SHA256
2ffe6d3d4e83c2bf7c013cc8cdba448eb475178532792e869c1b15a2e0e4c193

SHA512
ed3bda0cac19e8ea0c16271fd3f061498696fa918843126044b1dd30d6e3d80098640d131541b527359b78b6f478e0db22806a609a23e546c68ec87a8b34dce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
590967676e81d75fbe5ca1a9d14c1815

SHA1
a7e58e3c8a1d81e287fe8ccd7cbb0003bc47119d

SHA256
c6afd82a14a171cdf798ebac069f4d40172dd604df4822d2976fe4de045da2b8

SHA512
a6decf544584f96b7478a9d0a8e8af5ef99e5b21226179a6c84cbe3a53980c6450f285a8e6b15f85b06496dca5689530d324d1f7cfd7051f584117a5b61fd6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO482D1EE7\cheatyvalo.exe

Filesize
78KB

MD5
c5caefaf3418a3aec6f20eab022ba89e

SHA1
56ef12ffd9a7ddb7ccd65059dc2537a124fa4d6d

SHA256
2f3a72f7259501596e182f2ba97a4b1bca49bfccf7b6a184606463e28cce6152

SHA512
3bb67539b7b7b79378780f401666e8ff183ab90c4d4ff4df247b5bca32f6c2ececa09117fdd85409e500cc08cf0c24be97bcb221e7a2076c0489dc437ee08756

Download Submit
C:\Users\Admin\Downloads\cheatyvalo.rar

Filesize
26KB

MD5
5d8752c81594da28b8f36e2aba7e9dfd

SHA1
fdac263f7c68d85bbb1285b2fcaaba592606902a

SHA256
e98ea9344ffa7f9ef5261b44ef8981aa2d5e5329737d0756d85fd8c8845b3521

SHA512
35f65e8a9b6999bbf19ed17b84d0df10ff579f87f497020606b53e80a6ac4e66e23fd92e105e556a9925c397f26e4bc7c428ed6b725b10369b335f36992a8bc4

Download Submit
memory/5212-262-0x00000199B84B0000-0x00000199B877A000-memory.dmp

Filesize
2.8MB

Download
memory/5212-156-0x00000199B89E0000-0x00000199B8F08000-memory.dmp

Filesize
5.2MB

Download
memory/5212-155-0x00000199B81A0000-0x00000199B8362000-memory.dmp

Filesize
1.8MB

Download
memory/5212-154-0x000001999DB30000-0x000001999DB48000-memory.dmp

Filesize
96KB

Download