hxxps://github[.]com/moom825/Discord-RAT-2[.]0

Resubmissions

10-01-2025 00:27

250110-arrkwsvrhz 10

10-01-2025 00:24

250110-ap2yvavrd1 6

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
93	discord.com
94	discord.com
95	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{872F2471-071A-4576-80C9-13FF1953503B}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
208	msedge.exe
208	msedge.exe
2720	msedge.exe
2720	msedge.exe
4192	identity_helper.exe
4192	identity_helper.exe
2200	msedge.exe
2200	msedge.exe
5652	msedge.exe
5652	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1524	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1524	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
3084	builder.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2268	2720	msedge.exe	83
PID 2720 wrote to memory of 2268	2720	msedge.exe	83
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 4408	2720	msedge.exe	84
PID 2720 wrote to memory of 208	2720	msedge.exe	85
PID 2720 wrote to memory of 208	2720	msedge.exe	85
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86
PID 2720 wrote to memory of 2912	2720	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/Discord-RAT-2.0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb315846f8,0x7ffb31584708,0x7ffb31584718
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3277734701146613219,17964719081050509957,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7064 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3092

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4acc0b60f3d4875389057852f81ea853

SHA1
7c4175afab8d2c7165886e3be34ea21cc6650eb3

SHA256
afa7d9819cd33415a4a83d07b73c535b878376ff07b4a2012ae8d5030a093c69

SHA512
e316a1d225e89b7737dcfd2899864e434dea89ae2a675546a59132ee664e6a92e8439f94a2be3e22317df2b06d2fb2116c15873e9dfd2f964b413eb6bcf05ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
f6965b504f2e0b2779b1fa296d44c2d5

SHA1
8f04203694efcaba01c130f37e3283ff51152e61

SHA256
9f2db139521024fd3ce0b92e32be56c49945e8872bcac6346fc3537319ab2ffc

SHA512
b37fe4fa778aa7c4660da5e2168af8d59211b689d1f5e685d80f2b35aec5f6269bfdb4461b4c4bdb8cc01241641db14a3e17acaf57a984e9e8acf2a954f4fb7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
192cfe5a83dca08833f05bed98d64ade

SHA1
e63933587e3a4c5e1b20a4beaac7734dcff5e865

SHA256
459dc773fecaefcfc3461710dad24a417dac4198976961afcc798ac9b0a8013c

SHA512
eb1af326fb1aa7b9cc43d32672df28ed0fde9e91e626cf73b693dbdc2b66e9de98506b4d0784a913382be0af6a24005a3e3b10ddfab168bfe10aec135da6a5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
727097527f6ceff1d4fe1e3d24c69042

SHA1
1ea5542a9f25a6954a9ee1c3c48ca5fe2ab70532

SHA256
78d9f16391182b81bd4714f8605114202a9ae9cd3cd8a466634e3876461872e3

SHA512
02b8582b523433bc3c493db8f376e7b82ea693ecb30e699fd81e4b28d449654192fedc7ad5f909c2daeb5457256d17ef9b78dd51ec903f1553ec0bd714b1afc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5aa76a96f0821e695a245558474862f

SHA1
6c4379a41ef94621955c073b0b9b5ab078b190ac

SHA256
7b4cc16c4269926d80b16e377e08f239bfa5cdaabc73fe760439ec4a7c0b99e5

SHA512
9d59d21d23aadfe9b5bdd0e706736a3a60a6001bdb76c2f421585e20f1e30454324b1823056902f6d84f079a09ec053618c36041e1f9575e8ac27285cb70f2cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b655dd4326255e2796df28b7acad6d8d

SHA1
b01b18d6e8200ecd9a10d133aa7523710534d6ef

SHA256
eec193d27da22a9b1255893c3fc68b940b639452aa1ef3c445361c4bb6729013

SHA512
9a53ad23d87b53c5854112e63f1136308248da7bd54f4f2a5540e7a1efd973304baf338b18735d657e8c8cc32f80e1779cc1a78d7c80dd5708f38bf49993fe0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
abf46e89fd6fd5efbaf6c37d1eefd25f

SHA1
bfd79cf30afb8e2b9f798cf1605d6b51f35945f1

SHA256
b082f31491df57d6fa761947a277b60d6af253d9ceb8874bf1887386647addab

SHA512
c2887e4de4483697e1be5274557fbd8c5f019bf2a572b31ed4e77763898cc0cb46e49140e64e2def0db72e5ae6b32b20e323cb0c09370c831af96c61dd6d7315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a55d2c89a7e494b831775c9c066a717a

SHA1
c66b3550f33f1363c3dfe735d18a71f40d8e7873

SHA256
ee1d9ca2a114d5d290e1f96ed37da972bffad03dfc302e7324d63a868f3e3647

SHA512
108c019f05298526ca3b4ee2892e4ae6a2117c7c2b93e03e8f4eceff541e037055bc486b8e6b79ccaa6641fecaef46ae26ff312cf3f46a69c043a92eee5f1f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
540999429de74e0a9551cf716e84069e

SHA1
c77c6d087493584520c39723832f6e3d08980931

SHA256
9467ed93e4dafa7c73a2a70de4b194187e9453386307c9666ba091144b533786

SHA512
275104a86f70285f2005ce059b889dedffe7960faca2b9758b2ed378f83e5d5516b7e479c12584366b6b8b4bf0d95c4f0d5039ce120901a7eb380ffd5b043100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b6182af878b17a70938f2337b68bf89a

SHA1
5e7b37986fbfba67d6b89a5954d3bda0d399522a

SHA256
36ec4c71150621dadf2b99d051843f7eb99fd2577c1d5ec13fda7f23eb1a2bf2

SHA512
71190e61a8a00d7efe388c729235bce94f72a2c20462b68ddc76fcef5bd404586248ffeee11b7529648c1377f97dad653fdaa14f3cfdb75fa787d64969b4718f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
19af8d9bad8015b2a8c742d159334fd3

SHA1
05716adb925142a75243deb3863a57ed5c005a10

SHA256
a78729842cd52787b28fc31593b2a2e049dd471b6f9b5b66a67100e2ddc98e03

SHA512
bbbf3b5d8788240484c7700817c395b3bfb87d0c66b3b1279b5b295df463f29b44f0e54864725abf6cc08b9887c9c25c4738c1bd26a6f63d3e1f0160d6401295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e01ae71467f73c0757c3c9d6e84db78

SHA1
cc23e061391847a25c0a390f54459f9434217ceb

SHA256
fc5e39d139fc3587a55f32e73b3238b18887cf54e338f617d28400845cb9b9c3

SHA512
bdcf865c2e5028857aa63798853b6a1d37bf05818a5dd634454b6164402fada5a95da87b7edd2daf9cedc051fbd5fa656b4adcf2f5b0b62e717b72c757bdba8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
165e15c2f614b8d927614538af4096fa

SHA1
31bc1a99827c9223c5c808dfda7b0a98c44448b6

SHA256
ddf8ebc16a16e7b655858af0bdf05be86c84523fceb04a2247cda041195ad149

SHA512
491f5cf3883837b9fbf6650efe7f21c176f53605a8bcb47555c030236aa34817e2ebfa01bd94911e6b27cc42a3b748c8671e182517d7a158c8b570826a2dd5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f7fc.TMP

Filesize
874B

MD5
ce02ac4dfd4f26ae066168ad44d9246b

SHA1
a4e9592425695818953eeeb652fae3a0902f697a

SHA256
8b1570ff44bb9461b413037d679187abd854d1370a03e2cf4eb82c9b32ea5254

SHA512
34144102085a5d7d368e5cd55cc51b9d494b7fd38bc6f42aa94e694ff6bb069762257755ee3a07a253d8c9ff99bb1e36bc4629316e0982928c6fc1a6b949fde6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
69635fb79d2e6f0a5fb726942f556499

SHA1
ce573efd59bfbbec4c9bd84c32ec2d29f838acd0

SHA256
ab853d4d269b08f610c276a58d27c44e6054b387495326ca802eabdf3e528392

SHA512
6470210aedd4c84bc13a3fc0dc3366f08fb01a9195a1c95729301bb341da2f7add0d413471f4f57d261142a0dd5807a468e2ae0f9f8c1be30565840649145b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
82b4c78d18c5cbb27289b87b14f0d0e0

SHA1
2e7d8e4268750b272ed49501a1b8d482b22342f9

SHA256
885230a45a83f526d5e4aeef61825408745f69d633c4e1cdf00c62f7888cac74

SHA512
8fb888648bbbb83ac8fe138707dfa9298d241c69ad2edcdab9381351e892582322331c7d7fb5080c560f825bc939be6a6488f2135ad8fbf9d4fb74ee930649dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\release.zip

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
memory/3084-219-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/3084-222-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/3084-221-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/3084-220-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download