discordrat | hxxps://mega[.]nz/file/4nFDUZDL#X78fPOLzSILTjoN6A_dNQFZeMnnvbme-DKfHHid-Pbk

Analysis

max time kernel
18s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/4nFDUZDL#X78fPOLzSILTjoN6A_dNQFZeMnnvbme-DKfHHid-Pbk

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjMyOTc1MzA1NzY4OTcxNw.GfGkYR.4NIueWQiWsR14nSV_wd0Nsj-vv67vQzF7zcI9M
server_id
1256329683432112240

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 13 IoCs

Processes:

LX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exe

pid	process
5452	LX Executor Version 2.0.0.exe
5664	LX Executor Version 2.0.0.exe
5764	LX Executor Version 2.0.0.exe
5840	LX Executor Version 2.0.0.exe
5924	LX Executor Version 2.0.0.exe
6016	LX Executor Version 2.0.0.exe
6112	LX Executor Version 2.0.0.exe
5168	LX Executor Version 2.0.0.exe
5432	LX Executor Version 2.0.0.exe
5272	LX Executor Version 2.0.0.exe
5660	LX Executor Version 2.0.0.exe
4340	LX Executor Version 2.0.0.exe
6224	LX Executor Version 2.0.0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

62 discord.com
64 discord.com
69 discord.com
73 discord.com
76 discord.com

flow	ioc
62	discord.com
64	discord.com
69	discord.com
73	discord.com
76	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 944495.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

2892 msedge.exe
2892 msedge.exe
4952 msedge.exe
4952 msedge.exe
3588 identity_helper.exe
3588 identity_helper.exe
5356 msedge.exe
5356 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4952 msedge.exe
4952 msedge.exe
4952 msedge.exe
4952 msedge.exe
4952 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 944495.crdownload:SmartScreen	msedge.exe

pid	process
2892	msedge.exe
2892	msedge.exe
4952	msedge.exe
4952	msedge.exe
3588	identity_helper.exe
3588	identity_helper.exe
5356	msedge.exe
5356	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

AUDIODG.EXELX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exeLX Executor Version 2.0.0.exe

description	pid	process
Token: 33	3024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3024	AUDIODG.EXE
Token: SeDebugPrivilege	5452	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5664	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5764	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5840	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5924	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	6016	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	6112	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5168	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5432	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5272	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	5660	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	4340	LX Executor Version 2.0.0.exe
Token: SeDebugPrivilege	6224	LX Executor Version 2.0.0.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exe

pid	process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4952 wrote to memory of 1508	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 1508	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3012	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 2892	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 2892	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe
PID 4952 wrote to memory of 3060	4952	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/4nFDUZDL#X78fPOLzSILTjoN6A_dNQFZeMnnvbme-DKfHHid-Pbk
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa993e46f8,0x7ffa993e4708,0x7ffa993e4718
2⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
2⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
2⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5356

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5924

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5432

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
"C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11464434653927180166,5728675705857636089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
2⤵
PID:6384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x424 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
35bb3e1e4c2662a8859aa6219eee4f4b

SHA1
03e6c47c493de2744261858856cda543ded73c66

SHA256
a2f560a7aa951491ee958f9467181e25903c803021709bf0f899eefc5ea4b747

SHA512
c050cc498703e863e681571d1dffe58bcd6a2b366befae15921bdbf0f19fe8da6193f1d51e7515ef8cf5f67a35935de09e5cbb74dd23dbbcf53453559e9f8399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8c43cc7f29c5fb25421433465b3184e2

SHA1
ddb66f117ecdf78af1c5ddb3c2ef487551f54a52

SHA256
ab8bf81cb0a6a1c4243ab5a08e5c7d6bf0d2c2b767a450d2ca47075d9cf1eb7c

SHA512
f18756b6a020130ea967fc9589e8f2e73bc22537bcb3faa5dbd9f38d98ea6ac51cf7476c6383f9c85f46b39a990ad8aa7eb90b218e3b07645e6ab0c6b60747f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ecc30ba6955dcf40c73c606c8381bb49

SHA1
f61abf64f3ddcc436b52c7a8bdcba8fe7c6adcf4

SHA256
62a31dac279141aa73c19a801489624c12e2bdbeceb4a7e2c2673c2fa1d0884c

SHA512
3f3bb0acc1f857e049556dee56013618d89c23494fdbec393b43a2f1e1e25ff281af2b026db8cb98c6f6ba7872955fd648d4b9ee2967aaa5dc2f4f6b014c479a

Download Submit
C:\Users\Admin\Downloads\LX Executor Version 2.0.0.exe
Filesize
78KB

MD5
b9c844da75ac53eef059d1c96e1bd28d

SHA1
e4ab7a4017e231862e0eb30b986ba0fc20cf767e

SHA256
355356788b0f21e59561a73263baa7513e6558efc35ca72daa4acb36e13f8dd5

SHA512
2d1a8e5a785da1db6bd6a4c2b9b1f8ebcdb23ec2228007f25af9f324b666a07199173efdbcbfbebdb59c7189282004da670037d6ee208818ac83dd09f5b4f49b

Download Submit
\??\pipe\LOCAL\crashpad_4952_KGJWVHJNFRYHMDVD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5452-171-0x00000204F5010000-0x00000204F5028000-memory.dmp

Filesize
96KB

Download
memory/5452-172-0x00000204F7730000-0x00000204F78F2000-memory.dmp

Filesize
1.8MB

Download
memory/5452-175-0x00000204F7F30000-0x00000204F8458000-memory.dmp

Filesize
5.2MB

Download