discordrat | hxxps://mega[.]nz/file/DVBF1YzZ#AiZ_BLBlm9WPTi50wEUIKNzJ-73HBqhT4r8FNBdYDh8

Analysis

max time kernel
124s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 04:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://mega.nz/file/DVBF1YzZ#AiZ_BLBlm9WPTi50wEUIKNzJ-73HBqhT4r8FNBdYDh8

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyODM2NjA0MTI1NjAzODQ4MA.GMoLM3.YYSlvGXSoMWUvddGIWbu3_b3RU8_S2GzYmAz64
server_id
1328366100961951837

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
4784	Dont't open this file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
91	discord.com
94	discord.com
97	discord.com
99	discord.com
100	discord.com
85	discord.com
86	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 996980.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5172	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3692	msedge.exe
3692	msedge.exe
2972	identity_helper.exe
2972	identity_helper.exe
5420	msedge.exe
5420	msedge.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	3452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3452	AUDIODG.EXE
Token: SeDebugPrivilege	4784	Dont't open this file.exe
Token: SeDebugPrivilege	4756	taskmgr.exe
Token: SeSystemProfilePrivilege	4756	taskmgr.exe
Token: SeCreateGlobalPrivilege	4756	taskmgr.exe
Token: SeShutdownPrivilege	4784	Dont't open this file.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe
4756	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 4424	3692	msedge.exe	83
PID 3692 wrote to memory of 4424	3692	msedge.exe	83
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 4324	3692	msedge.exe	84
PID 3692 wrote to memory of 3664	3692	msedge.exe	85
PID 3692 wrote to memory of 3664	3692	msedge.exe	85
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86
PID 3692 wrote to memory of 2124	3692	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/DVBF1YzZ#AiZ_BLBlm9WPTi50wEUIKNzJ-73HBqhT4r8FNBdYDh8
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8f5846f8,0x7ffc8f584708,0x7ffc8f584718
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6672 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,9164072791439268639,4840383664666910595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5520

C:\Users\Admin\Downloads\Dont't open this file.exe
"C:\Users\Admin\Downloads\Dont't open this file.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77Dont't open this file.exe" /tr "'C:\Users\Admin\Downloads\Dont't open this file.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5172

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9a8e63142edb0209f2863907b4a18090

SHA1
8db6c4fed29848632c2d65d86a50177440eccea7

SHA256
7ba18c48f0ca5bb7af18df9b23de791d03b7205d5b9f6cfec2ef1fa423d5c408

SHA512
72cadb27b1c7683f2240ba16a73f05746cf4c7269813993f0df0ddf68391fdbadcacf22516efdfb41e69de19fc73a0b19adfda9c2396d064b508311a8627ed50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9271be41b21149acf9356fac8627313

SHA1
c24a4fe344f279f18f88901896abd0d47ea3467d

SHA256
b4ef76c467a444aa89a09b6c7aa15d715f5d2f68c5acf32afbfa01470f3316ac

SHA512
9a68f7df6478e1e5878d454da564ae1a357db583e78453f0757c31ad005de37d7c88ec4ddb42d197c612297039a42986e668c90666b436dcc2fb7b481995dd33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a22b9709eaba50256ae4fb15aa965a6c

SHA1
500f240a0090f8187ba45d72e34f4df084d92ccf

SHA256
634a04266d9a41db593a0cb2905ae776ed695dd617ae9751ff6d1d160fd2ef84

SHA512
02bc307d5a5694e62ef4fe8847761526a12c6ac38c63d557905126b695cdf72051ec53b8e826e51fb4ef3d6ee9442ccf703dd0057a85a67df7dbcd2411495b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b32455d757f0d35cd061d130836c9d29

SHA1
a966c1afe7b41b09f94b34f51c17a50b2fb17bfc

SHA256
5638babb2ed32107852cd9ff0660f0b0abd8ed45658d2e617d079ca52cd66344

SHA512
8448f71c9ad84ef35122bcb446d4aa27a9af81c2c58ef1162847f2c399d4843de66338aac39a3d0f1939fd6d6f72c02e1a58ca7bb439b966623155376d195029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9433869ac352b8057b6a4f0ca6d78ea0

SHA1
053864b70776d6b074dd1474416cae6156e0a3cc

SHA256
c95abfedba38c27c9cff479f8bb5e968cc8daef9133d07af74015fff40e69661

SHA512
983b50bab9fa856cc0e771eefc2e73314890a09be72bb679c8b5ac407e3a0635237aa09a713bcb6493dbd5641caf8358788efb55460eb1d4dcfb04c577ad5a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75b128b092798b2469bbdabdd6d4b1c7

SHA1
3b3ac03b1543706e208ee56986b77f6e5ac370c1

SHA256
fbbbaf7958d683075ca264225a1f35d8ec5779973c8f7a21e6508b93ad4373c3

SHA512
477f43cb2540c5d4776230d0f978ccecdf070b70f94c705882ad36b82ea42f1997c9f60876a3e7e6e946f643dd0e80b9d5aef005f3788e4a9f9e141eed17b05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7608a82bccadb29d0b4be093ae85b62d

SHA1
1b3b51ab090973655edba7617356d45af4d46506

SHA256
004fda7443c3b5500e5df2ef69efead0c8aaedc803f24baa9e619eb49d551ce5

SHA512
3c1fa96a2f12df925aa185171cb060478f7c08b22fe2bf125e81ac74927d81748b9d413c14d6f76f204d3380d06be6bd125a06e048bd9199f85aa03fabb27071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e9c4.TMP

Filesize
48B

MD5
93296d82d79a97ad9044df453a83dd75

SHA1
f2bf76453ccaa5a040f7c04c41e543fddf7ee5f3

SHA256
ac37228872ef87178b10eca576d03a9e24dd824923d084c00a1f61aeb0da4beb

SHA512
2c852323914206af3e2258a93d66fbfb08c8b5d3c6a3b19c60c94a1004b923a8ddb770a02dc29de32fb4dc619cef1a0cfa3c93d553541ed4f4f049f4f0e9b866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8c61a75cb31bea9f7cfa9e8e49d81954

SHA1
4383a96dfa5dc550e7131df804f4aa9c8445522f

SHA256
30bfcdd4892744bfa0890bdc89402a74b0c374e408faf22a2e88be172e93b5a3

SHA512
b1e74516899ca89a05ed2293471bb517d654ae2bc9ef62055ccd26f8aa5d5227a529d4fbebeb30dc5d6b9544e508a9a1c352bb70a4d589e52931681d416cff2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f852444b7aecc22cc7f3f7dbc1ac1684

SHA1
9aababff7f8391f55b46c4d7f03cf98f56f2f7da

SHA256
59a2c9ef148de7b19f12c807c1b1c0f5ab5cc0e654636349b43718439c297bc8

SHA512
32c5ea1f7df55882378a593b1a9fd44714a43bfa589bd5dd6f6025b481dc90ae2f37527edf552e0b374bbe6460be8061db9925b303f9410246f96190b5111721

Download Submit
C:\Users\Admin\Downloads\Dont't open this file.exe

Filesize
78KB

MD5
4eb6e5033797650e5ed6e1f5fee218c8

SHA1
d125b226bd38f3787e8e4025201c3487e167d852

SHA256
4d34b7943446c045620410e05a16c6135d83d4863f62a7a312cb11800f830594

SHA512
8817317930fc74aeffccbd272a4acded550d9aa8c968b5fac6df36709e336c0c72411b1882a04655124cb141157a836e61dc7a807ad00402e28cbfb876d4423c

Download Submit
memory/4756-352-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-362-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-356-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-357-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-351-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-350-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-358-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-359-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-361-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4756-360-0x0000029B9B310000-0x0000029B9B311000-memory.dmp

Filesize
4KB

Download
memory/4784-348-0x0000014A663C0000-0x0000014A66582000-memory.dmp

Filesize
1.8MB

Download
memory/4784-347-0x0000014A4BE00000-0x0000014A4BE18000-memory.dmp

Filesize
96KB

Download
memory/4784-349-0x0000014A66C00000-0x0000014A67128000-memory.dmp

Filesize
5.2MB

Download
memory/4784-363-0x00007FFC99830000-0x00007FFC99842000-memory.dmp

Filesize
72KB

Download
memory/4784-364-0x00007FFC8D730000-0x00007FFC8D73A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads