discordrat | hxxps://mega[.]nz/file/bzACwQpY#fEW7LQ-AwrH4BDlJuU3zXK1c_3_jwRmcsdfCz7u8Eio

Resubmissions

24-01-2025 04:40

250124-faj3daznfz 10

24-01-2025 02:58

250124-dgltfaxneq 10

Analysis

max time kernel
74s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/bzACwQpY#fEW7LQ-AwrH4BDlJuU3zXK1c_3_jwRmcsdfCz7u8Eio

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMjE1MjQ1NzQzMzg0MTY4Ng.GegUda.sEXJI18X6s8vr3thxl2kB0kdlOYRbpk7RIjEqs
server_id
1332152349216735336

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 13 IoCs

pid	Process
5356	Gorilla Tag Ban Mod -UNDETTECDED.exe
5864	Gorilla Tag Ban Mod -UNDETTECDED.exe
5344	Gorilla Tag Ban Mod -UNDETTECDED.exe
5540	Gorilla Tag Ban Mod -UNDETTECDED.exe
4324	Gorilla Tag Ban Mod -UNDETTECDED.exe
5080	Gorilla Tag Ban Mod -UNDETTECDED.exe
1756	Gorilla Tag Ban Mod -UNDETTECDED.exe
1060	Gorilla Tag Ban Mod -UNDETTECDED.exe
5068	Gorilla Tag Ban Mod -UNDETTECDED.exe
1288	Gorilla Tag Ban Mod -UNDETTECDED.exe
6056	Gorilla Tag Ban Mod -UNDETTECDED.exe
1604	Gorilla Tag Ban Mod -UNDETTECDED.exe
6140	Gorilla Tag Ban Mod -UNDETTECDED.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 358059.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4356	msedge.exe
4356	msedge.exe
1036	msedge.exe
1036	msedge.exe
4888	identity_helper.exe
4888	identity_helper.exe
5180	msedge.exe
5180	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: 33	1900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1900	AUDIODG.EXE
Token: SeDebugPrivilege	5356	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	5864	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	5344	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	5540	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	4324	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	5080	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	1756	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	1060	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	5068	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	1288	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	6056	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	1604	Gorilla Tag Ban Mod -UNDETTECDED.exe
Token: SeDebugPrivilege	6140	Gorilla Tag Ban Mod -UNDETTECDED.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe
1036	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 3916	1036	msedge.exe	83
PID 1036 wrote to memory of 3916	1036	msedge.exe	83
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 3644	1036	msedge.exe	84
PID 1036 wrote to memory of 4356	1036	msedge.exe	85
PID 1036 wrote to memory of 4356	1036	msedge.exe	85
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86
PID 1036 wrote to memory of 1416	1036	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/bzACwQpY#fEW7LQ-AwrH4BDlJuU3zXK1c_3_jwRmcsdfCz7u8Eio
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd01646f8,0x7ffcd0164708,0x7ffcd0164718
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5180
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5356
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17808011576774064073,15473617570864054219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5148
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe
  "C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7fcb43b4cb32eef7d6b12cf4356b2d17

SHA1
0df56b59b849a14f08d7f47ac2ccddeec5f1cd21

SHA256
9be8f8c6bdcd0edeac39d7075792493a1f5c510bf962830925d201762702e77c

SHA512
7ed15b46e3dab99375d2a712dbadbbf43e86948938c7d644acbb36845f9ed9971ea03a963b079eaf4bf1386e152d1a5977ca78895b3534df0021180dd499fa0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8d2fd5b3d5ebd80725be4eb07bfe4c0

SHA1
04e4d8923086b701ae79883a99699b402334baae

SHA256
25799afbcbf9945cbecfac461fa23959a60d941cca77173c420fc36ce5681d54

SHA512
6064c8eb47a8c06afe5e8a4ef2ffc838f2ab5c29ba39c31e32ac3c6cc6e99da8e3e10102ec639c959adbe7cff6cb30e29b31a7de4eda296b6350051fb2841de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b08a83603827f18fec97f16426b5df77

SHA1
fdda7cf8ec3afc858216c7f5add4e01194f576c5

SHA256
8345329294d6f641cf1c63bd6d49428da054105c5aa43dfd10137f4cdf095123

SHA512
3bf7554646c17587e76a0f5ff9208e51cd9aaf7bc34c40b047c685ef69c70632a8be78fccb4a4ce4e93bdc77e8197e61126d0d4a17a82c6a0ea01b4a4a8acc27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
49782918a3756f18e919b2ce94e1ba9d

SHA1
5df2b8b5eddc656fec85244f3a51d6e71706ce6e

SHA256
0f64ccda9f0ac964c83aec4dceb64038c6df2640d8407d1e5f110be50b24e8d6

SHA512
26667b1fa08bef9032a024954f53582e320113d93b0f6c020834402f8dd18018bdc495a1b76c51d90ecee2ea714ccccf8c91627073dd2dbf9372b39c0f2dfada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0b248e622a9ad73c2ce09f69ad710236

SHA1
f1e6ae3197f381869e5997f676e44e56cb18b676

SHA256
70944ccb4028fad04798c4feebbaf09d3c658f367f36390392b507cf573ec874

SHA512
3d5c931c289bce89e6b17f999fd2ff4a69129a40e9292b70ea36176453dee5f93688019ed145565af9a6eb7db6db0c80caf11c06dc0b2c425de784afe1c5a883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e9e3.TMP

Filesize
48B

MD5
2e3021b9ae2f7bacbd638d19e66a6809

SHA1
5ef571e0636f3e1cacf40d52db9c6cb43f615d8b

SHA256
c75f1676abb9f6fda14f5ca6832483a48e54f219d02af90c1812d4a68be03d97

SHA512
bd399dae165894f38a535f7ee3b8cf6484c09119a03753763056fc3350829716756576c49cc4834a9a6741af82d9351f0fca0ca17461a519f36f67963283249e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7506f09f3bd80f7bc60cdfe6b79398ff

SHA1
b7373dee625d9b6939cf1b02dd6519596dcad738

SHA256
3bee7104bfcbccf1ab78dc22de6d71abf1bc329f803d5fba9611daafd34867ea

SHA512
092980654ba015f5be405cb9112669508c6719e3ffab92b9112ddeab4a2eb594e16eb7726c65e136dbf90bdab17b2aab576b65956f7572ea2e35f0ea45c5bf7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
12b2079a33f7a4d18537e196072c70fa

SHA1
3d6a38f2afc3708d95a2e7d1b6c221c22ecad1df

SHA256
92a53b1d4939ade5169adf098080d4b2f1593614177686c50fc380fc10cda9df

SHA512
7ad5d35eb8da1c5f56454049320e8d3bab5cd822ea815d95d501785b7c601ba4900ff02927b835834bf9fdb47438335f098afb60f3aa9267e9ddd4822aeb77ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa5a262a9057f3b56a1429869206e566

SHA1
374836da127c01ffe55627159cce9d724c1038e1

SHA256
77182dbdd048d7de37e23f0f557ef7f3669d61021e1138fa2dd96fddc2f67964

SHA512
0a3923d56769019a7cf0883f19f22fa58ceb773ef277ec38b2a5b9f243cf0944909a47bad2f13940c0c735de73d16e83e74885455030129792d0f48492b9283f

Download Submit
C:\Users\Admin\Downloads\Gorilla Tag Ban Mod -UNDETTECDED.exe

Filesize
78KB

MD5
25de1708f6dddc1f577725ed54ac7ce3

SHA1
7988c6c41dbceb42fdbe14cfa4fc0b57d41e2355

SHA256
bd78b356899a5e06f27ef41237950a35ef0d8a10b1e21faeaa8bb14a4f8d71f9

SHA512
9076d2f0982c20da98889d828d75b29d58aa01ce06d8719a2485d90cd34d315052ee411a5c6713020cad417b270b9cba1df679c8bfe8ed82678efe2fdf4544e2

Download Submit
memory/5356-224-0x00000207F4540000-0x00000207F4A68000-memory.dmp

Filesize
5.2MB

Download
memory/5356-223-0x00000207F3D00000-0x00000207F3EC2000-memory.dmp

Filesize
1.8MB

Download
memory/5356-222-0x00000207D9620000-0x00000207D9638000-memory.dmp

Filesize
96KB

Download