discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases

Analysis

max time kernel
506s
max time network
507s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24/02/2025, 16:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMzUxMjEzMTMxOTk1NTQ4OQ.GmEPte.nP43bmNYpHN2uNegk6NN5JcnLmmIyIJiGdYypo
server_id
1335974588726771772

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
1116	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
94	pastebin.com
105	discord.com
106	discord.com
315	discord.com
318	discord.com
319	discord.com
89	pastebin.com
93	pastebin.com
109	discord.com
316	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1252571373-3012572919-3982031544-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1252571373-3012572919-3982031544-1000\{686335E9-EFA7-4832-891C-6D3CF9F7EFEC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
2904	msedge.exe
2904	msedge.exe
4108	msedge.exe
4108	msedge.exe
2880	identity_helper.exe
2880	identity_helper.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3588	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	Client-built.exe
Token: SeDebugPrivilege	3588	taskmgr.exe
Token: SeSystemProfilePrivilege	3588	taskmgr.exe
Token: SeCreateGlobalPrivilege	3588	taskmgr.exe
Token: 33	3584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3584	AUDIODG.EXE
Token: SeShutdownPrivilege	1116	Client-built.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
2904	msedge.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe
3588	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6020	CredentialUIBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2236	2904	msedge.exe	83
PID 2904 wrote to memory of 2236	2904	msedge.exe	83
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 4652	2904	msedge.exe	84
PID 2904 wrote to memory of 1848	2904	msedge.exe	85
PID 2904 wrote to memory of 1848	2904	msedge.exe	85
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86
PID 2904 wrote to memory of 4832	2904	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/Discord-RAT-2.0/releases
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff98dec46f8,0x7ff98dec4708,0x7ff98dec4718
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7300 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8604 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9404 /prefetch:8
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9388 /prefetch:8
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7908 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,5106954764573817644,12182650350824117703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8752 /prefetch:8
  2⤵
  PID:5764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4924

C:\Users\Admin\Downloads\builder.exe
"C:\Users\Admin\Downloads\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2552

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c7783bea48a89e9a6f765d71cbc99692

SHA1
04440c5f8204e907041247319e7e1c967a465c18

SHA256
07666a388a81a4dab32d818c75a7d2ba982b7461c5ec8e0ce804897f3d022066

SHA512
a793cce705636200e9d1c9ce85b6a90a4a98d1e59c748009d355ff686ecd245358f1da8336b63740bef4900ed2a304064236f8e1ed65dcc9f36a5bb99e5b9579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\18f77e11-91fb-4044-8666-d9e95273a0a4.tmp

Filesize
5KB

MD5
7e4e3d63036ba83d99ad5c177ec37c40

SHA1
8ff5028d263631b13b09f2c30fc792e6440a7e01

SHA256
a9ca790b91c3faebec0d1282bf2865c954371728870e99acf6251219a9d1b829

SHA512
4161e13b1f4534556e6a67cae01e9f48b91bb56ff40a6a06cebffd82582d66c625f97ca6d348edab73ddd613587ce6591538ba7766b0d6b0f545e809f9f09de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
1024KB

MD5
8a1eee5e0d7a9b9af323a96c9edf26e0

SHA1
b42cbf325c781ee148cdf73f348e5247edcb90cb

SHA256
e21779687cc413c3bf4b061d09e02782c95ebc510656be5f236dadd3e3e06de7

SHA512
6921316354aec68b001bb7a5205552dfca2f369dca6d1ac21d5ea6ba548edc75960668b386c3587896647da728e30ee0a1bcb950cefc2f09e424307c2eb52fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
337KB

MD5
98ffd7849edfbd7122779c910a11c5a1

SHA1
c91c91cbf4e191e64976574fc8cc706ae754031b

SHA256
e64869f4d5b5d3c36c613031e15206c3b335bdf92e80f43ab3e9c8c43189dd7d

SHA512
444314ef116641b840a5745595b097eed0772ae8e09b9fff4f56521153f1e767590303be25879315a5b70c09bad263f0679cddf77a23f54f8b2b1f39c0c5bb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
664cd46671e20b3e8ab82590124981e6

SHA1
9fe533a2d640fd98c24e1041bbfa1f92e54e5ff6

SHA256
f9ff567494fb85382f4458bc0a7ec8b004ea52c4662c83b989b1e61356328388

SHA512
f5f88fc3b173946c8d182e1b991cda9d9ac77e10c839dddfbf9045867f0a68ceefd3da1681be1f5c596574493e6740d6e0168634bc12f9afc33d0ba72dcfed58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
71e9c37cfd33a986f713fdda66cf4ec6

SHA1
c7a59f5c9198d63a8074a6b75a3d46e2761f9326

SHA256
c3928921903f586b723644b3d2bab0700e311c463a10a0f3a55082dca20866d6

SHA512
2bdd1079b6fdd9da67b1aa45eb216f8b5150ab7d139e14a276690d970ccba70975aff0cbda916ecba149c3b7c7098b5a0bfcb54a41656dd2d85f3973e1b24ed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
78c905267b0e33e9ef559c13f16aa169

SHA1
3cf87af071c7b30b370921d1553e8f68c70ced9e

SHA256
70574d14f4c762d2a83b2cdf495ff55f6bcca6171e16a500a8c86f06134e1066

SHA512
d989828d7446c6328bc298c8243483b23683c0969cf64d9da325aa723fc7da60bd6b860fd62e89e637f46d17aaabb46d5766ee924f9f388fe0f2c07e210ad266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
98bc87a69bfe8cfd3bb57949dee1e625

SHA1
d9fcb0e65f0f056d595d13bbfb41d310c286a522

SHA256
dced7bf2c9f49b18e645d301e9ba814952bb8126dc168081d70023956617a861

SHA512
9e642f17abcf7d5de28e1f7e25d5d549d2b84d6401a4062915c9dcf5d44c8906f4165c16df9f0360a8adcb441bc61b2eca4c8a0f8aee955576ffc80c79116cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
636B

MD5
148f30f00b4479cedd37f204c8f1a065

SHA1
a1ffb5f488e05602f57c88aa088ddbfd9d373e3a

SHA256
72f7418b2a04a56b8ccbd70e9b11d2ffdde7de88ebb18acb72c5427566a830c0

SHA512
75e1d612910bbdaa945306fe4dea2191a406313225eddb8a9a820eab6c862269df7ffea7dc6db65960de50ec2026e3203fd80ca6e7573265c4788f9f2a1d9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54797c72f25e2307095fe2e73814de9d

SHA1
acb1c1b8894fbf77313d3f1decde388c678671a2

SHA256
2781cecd527db34ab0275004e4187cba72bad69dbf18d721cd117583f6ab3f77

SHA512
9a6a2486f4ec9c46b10fdb10679b650fda5b0033305092202c80032f6e93cd61c45cb75ad4c3865be4b0f4bfde3708737d4efcb6f69a3f444d85d75631043925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0fc43453b008257122d7cd1238097bb8

SHA1
529dce2c2261025cec8207b80dd50d3e1edde98c

SHA256
ed3afff2b43e1a7e122d688ad67201b08f57e41b993de004e38510e94e13bfc9

SHA512
65575417d7e69536a07c175644c82521c42cd9de02144cd165c8ea335ce0194e73387394e7f4eb36838b0d75981f95d8b588ddd3f1590f5a671cb94e45ca06af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9583ac856d2a6aa6035f837fd6d2d961

SHA1
db23ea2a8be7a0502a285ee68cd6bb8edb11579e

SHA256
6da29e668eae64b5ef33688219110c13df10b4b6ee3b8770c83ed617533bf5b8

SHA512
f248305ad56b973a21804ac988284fa659b3aa432eed39f3f2bfb31dc1d41dd88887a4e4dd62653f6a10346b6382e1a6919d08c31197531954d09038878319fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
92287303baf4697d4930007d34ca373a

SHA1
2d50a3a3a3bd263a2e4ea51b250f367159d6959d

SHA256
4451752b4257c18105c1c843a6ca14952ab83ac732813a0bb7052e98af483516

SHA512
3f7d2049912d709d4c3559f34245f3a93c0861fed92f859cec8700138122abaeb95fcc9949c473d68318ea7d35118680bd41eb8b37a60b4531229fce8e33f5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
452b0995da2fa95d5067e57aa2ad325a

SHA1
a9810369962ec68c99ac1f96bb7a65dcfd7c1c82

SHA256
bedda6fce193f973d088e0b8d4e6f28f77c4358c7602e70bdab2e58ec005379a

SHA512
4d86ad4780d9e78fa94846fe541f2f6d6420460147da55926cfb82418ce965d6878a7cb4b18546390f693e8ecf88739ddeda3a2acbba20a39714c2dbecc27790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c7b3f41a301a2ae062ee42fb2d9ea07b

SHA1
b99b896b6f7ed270d7d73c5a9beb5e3c7f0ae171

SHA256
934ecdefc676b8578a3c6d4c5181e6d5a1c000bdae74b8cf2c2f50496ce4b670

SHA512
e7a40105edee649370067a34e3e0ad8c0b806a6a9c633cca994de3d0044ae62fdfc1cb23e4fa6bdb2a27e1138f5c569978cccc06d981187bd93c3d56982e6c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e1f02d9d14e5366fc3dcbc1aecd2c92

SHA1
a5103918974f9f39166c1b9819eaf73789599d57

SHA256
3d4bafe79509d0bafed53bf4c6b42d536182dd77069d07149194959899936be4

SHA512
570db0f2994d6ef8d174ed2c9dd1c17d3ade353d17b595c01f2449b976c00fd7e88b4bec5ff25a18659c8ac44f09719582ff78c95bfef330d4cb55b4a0ea9ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb0798833152418d630b0c8ff4a8905e

SHA1
324b5a1ead4374ecb99307fd1eec015e0db09b4f

SHA256
8c4e218cffcf5f761ff3820f8b8d615a5a816215993abc2bcd99aa848d9c9bc5

SHA512
746c8b00a0faa1ac0a9d7540c097995cf492a49c18284edd8dfcf96edbe84530be19e7ca304fce9f9fa80d3b37799d95f49cbcd2b4295134586c051d9d6d4603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af3d1a8095abfa81bc081326c04f1f0e

SHA1
9dcd3961bc9e70cd27029c59c742fdc58cf08042

SHA256
7a1f62b504bcf0a31a09771ecb0994b5422b66ec71aeecb041e347db3c3ff2e1

SHA512
95dc34b9ab43008a6db261e304a895a9c5bdb1dff7b3ba4ec718736d36dec416831761a02015e42d5213a1664fc9ffc20b796bf3c4a67b60e7f57f4edaa9e603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d33656b4e789ddbd9f6188428381dc72

SHA1
fdf0398e04b9ec7a8a23d207cb7a0e4c94a01380

SHA256
26a8205d02d9eec9e456a48e77d071184c1287b629c1f1c4b3a58e31d92cd38b

SHA512
c10ac03f7173fdc109aba0b9ef414b8fb3680ac3aca45b9917321d429319ee2de2787e61184a8874a019d2a024f7863f4442735b439bf78d9add1f445ecb423e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1caa9ba7340981c163c841d09f716cb3

SHA1
741f54d3648a06832467a7116e983609f63ce49e

SHA256
f02b273b6f469b74ff6905d97feaec099f33446ca2c3f632a9b768cefd4720fd

SHA512
c00c0ace08321bc626b87b311bcde62f4332a19986868fa4051ff638294db1cfa5e9999d8c69bf20a5187691f298b61cc0198ec904ce41a0d033f9f8d5deed9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
53cd489ae1b50ccf71f8a9f52504057f

SHA1
6fb31ee24b93612e214f101ba598dd94ed446593

SHA256
c0644967d5d5656a1361d012776c8e43e9c3cf7d7f0f49e4e844833101dfe8ef

SHA512
6804d9d9034a25c2b6ece549380100f0c3886e57885ab9a36380e0c143bfa74746873d3f023e5683f3de6d22c876048c8b3ace399bf7b86a350f9dd7bd3ff60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13384889698260303

Filesize
65KB

MD5
611515a527226b8e5f7e21f023d1a9ae

SHA1
38af3b4a04b1233b8130191cbde776468daabfd4

SHA256
eefe3cf2434ec425f50ad6364a1605e34b65f67c915917c55e5826798f8f9f26

SHA512
f86381ea921ec15a67b6e9bbb10b0eb10eea639529a1b32fb1e535b3bfd18143aba274a28d0c6de9f686b2782dd7f8c526e25bedb410bd65e70fbe4fa03815ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13384889719594443

Filesize
33KB

MD5
4ab5474c29dfbc764efeee9e9c08be81

SHA1
840423d6f24dbe9085df546ccffd7d0bc57c0c3b

SHA256
ecb102bfc9903677eaf67ba1e0fecb7b3bc88ca78b72a3ea8ca938affceb3814

SHA512
2ec9af1199aba905daf57c741250875021fd57fb240f60a79accd82f12dc2619c036e3406f6a0ea534b0d8722a3b726999792955686d4e2a056dff0aceed1d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
fa8c4653e4d73b431fc82645aee9eff4

SHA1
fd8343f4da9cd53082e13234c3a6e38a843b6e52

SHA256
5eaa414cd09cfb0b629e26c7a31aa1d790136b3a7c5a786084dba7778d53aecb

SHA512
344d0778817945f5ed7d84bbb3843096a19c82d5ef17f48f3334f06149a4c248bca248a1b53ed584bc8f0f6192b376dd04c9739fa3bc2c3f1c6efd5ce16cde41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
bfe6b0ab540546cc9a257d5a184b6afb

SHA1
67bbe8fd0bf4aefe277e2aa33b28b4b3e5f6ac95

SHA256
3fb0d24d5253e80338536a1480d41541c4dca312d8be3bf592136d7344b0e891

SHA512
01f68367a1f13c6ac5d4f0b25a8cf04d5881367dfced0b020d14bf582b79ad8b23da82eda9a080be17a6cb5b7550075dfdfb63ba6d4b1226558a9d3a045b3371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
73d3223d5376e0f984797573e5c037bf

SHA1
7fc770e20490d4a0440d69c575cc327d57076358

SHA256
bbb29cdc8a7db2c774cb66cdec1034e763705f5fc68024826d48a68368d9141b

SHA512
44f53c06a0aafe5cf5282556511ed4d65ffd0bfc3f3643910deeb9c7d36db0859d253e9c838c292822fc83d37d60fdad6a970ef2bc50f584370343e5128f1dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f6a8820a05c28da9d37ab7143dfd9786

SHA1
a2592ebb28071837404b4555227dc986411ab4e2

SHA256
bf0b1a722441e94932333cf04f7bb03d10b67dfe3f124795575f9b9be0ed9f49

SHA512
60670a23d6f05fbeb23582feb22912e051098da0fe7d2a5c77b1b01981e7ca6f1cb3435ef82b4dc85d13c56ede26d6f2f5bede2ba368a9974435fb456d54400d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ce1317dcd301f4bbc480a9044952f3ea

SHA1
7410f32c782a55543ddd33e489b8c7e10ba56ff2

SHA256
55c5e0b3450e03fe2f7d4548967a4fd79de0ed887a98a52f78128717f186f456

SHA512
5c754f68f54b6b4f8cef844772ee839406fe35e82cfc408cd59986878bd4df94339f642eab1a34802c15a0f73f16bed2bc451d3c544f8fe76ffa8eab519a5ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a0689.TMP

Filesize
874B

MD5
e7aab855cf44ba7d4106c392b1bdfaf3

SHA1
5f3bba1b99fe59bab45badd5a419ff45228b8636

SHA256
3538acacaa737c6894cc68261133f9fa1c9594e688919a3e36eec2549ef78209

SHA512
4aa428762b6d74318d13d2dd504cc123778e622961517c5d5ad6c4dadadd785507e880297b7e54f20ca3709e5cf751bdb5128b14148ee4de905af8ed7f70ca71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4deebf0aa896d715f4470fe68c890d9a

SHA1
8dfe7c57f0f2dd9c608c0afff32cb51e1623e38c

SHA256
1a3a3e965e1a96b5330454829667d055eaf0c6e3cb1bde0c3fb206913037d49d

SHA512
5fbf72d4e8a6b9ba35f76aceee888bfd647ae1cb88c6389126bdfa835664be540c9a92b252aee0b3fb478b30e9a581e1c27c9ac659d6b26acd8d4502c64b3b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1acaba08f7b21e526a9ad8bbab8f5d31

SHA1
843765c9636dfd8729e8b1a38334f91a1f017eee

SHA256
f906200a72b9c8f112685f5643d7d09dee60f3d4326ef6d3a4a3a338ed5e853c

SHA512
9f14f63281e337b71d004c0fbd11ea5470e83fe00921cc6eaf73f817567773995224a931742cead098235f2a81007775be561081fe7ff4131559f1aae3a0da39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7420ed82fa75e4b232fd6d4d5fed69a

SHA1
08428f9b22cc293bb59b6606ff6a04349e2bafa3

SHA256
23acc45e065363407002db54a6e846a5ff51c3182fad475d190b9425e7c8fb2a

SHA512
85474c466442a249a2d05472a34f233fb525ddd0ac25c0178cf963bef1533a5f0ae0b58017478c54d8242a76d4ecdfadfd332e325858a85cd8a3e88bdb2cb782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
873bee5bf2f2f6e135b8fde5306b91a4

SHA1
69f409015fc0eeaf250bbe412705ebcf3196f3df

SHA256
b16a7dee393ec3198cb319b177ad96bfcc76c3a20c987998fff3a573ac5d0d54

SHA512
ccfbb321117480defb36ee6dd3990a67b47b7b8d59e58cd6a33c0f193058b85e3533bfd1325644aa70919639f42631560d386f4b20e7a773be2e7a07b997aa9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
255616db0b1e173aaa35e41ced499f6e

SHA1
42a3f437db3bd46cdb04d3ac3ea83e6d16ddf2b6

SHA256
a1292168bbbefe9a348cb4f8d87ab970dcba6be594aea37c5bd5df37b0333ca4

SHA512
9a2e3ec9d02e2608363867e1ddf926396b04ab5c9e5d6c10d00e12cbc691d50d23c24053ed73182d3b4822ba8abd34b9a6f6fab5e56932f5492505472c264471

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
18KB

MD5
0ff6f3db2275c850aeb5ed19a661d0fe

SHA1
6c89b55df60fd6df4db40d649b4d1292fe5a26ab

SHA256
caa7bacd014bd651892e82ee958e711d057d5cfd6b6692d94e9515e33d3f529e

SHA512
ddfbcf17334512c7f672fc02565eda36cf81c443d68ced7bcacb3b5acd608d37f7b3f5a917c6f9a959b4385c13619977a3dcf1d3aa1b63d6329b7554d5e964f8

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
78KB

MD5
8dc02bf3d0e4f0710baff46c06847bed

SHA1
9991051ba3a0ad65da1e1866e152c2ad30504639

SHA256
05846066ea18f17e0cb8bc6c326609c53e0b3b3358f72b04e9e05f7cfceb8ec4

SHA512
3bdad6b72e61d53846b054594cd351331b78bedf2d629a30c5a5ce941c316bc9ce1dd2e989852265a92044fa4646a05e13d0f98c5b6e7324914dddaf10fe448c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 730762.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\cat-cute.jpg

Filesize
87KB

MD5
b95f972b9b33ef69ca3b9fb1b0adef5a

SHA1
d8ad42fab3f36712b6205d6205ac0947615caec3

SHA256
b1d1005b14deca1ed1e078758d7fc0dd9917748b46f71b0be16b44c57bd0088c

SHA512
5448bcbca0acbc02b2cf12e81fadb1a0a1b5b27128a530a3620576b58a26926b8b07f814f2dbc60716321f883e75d08a3f606b14b8cae56e459065c7456b4def

Download Submit
memory/1116-414-0x000001F8C3A30000-0x000001F8C3A48000-memory.dmp

Filesize
96KB

Download
memory/1116-416-0x000001F8DE8A0000-0x000001F8DEDC8000-memory.dmp

Filesize
5.2MB

Download
memory/1116-415-0x000001F8DE060000-0x000001F8DE222000-memory.dmp

Filesize
1.8MB

Download
memory/2552-210-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2552-211-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/2552-190-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2552-191-0x0000000005CF0000-0x0000000006296000-memory.dmp

Filesize
5.6MB

Download
memory/2552-410-0x00000000073D0000-0x00000000074F2000-memory.dmp

Filesize
1.1MB

Download
memory/3588-600-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-591-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-601-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-602-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-599-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-598-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-603-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-597-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-593-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download
memory/3588-592-0x0000016642BD0000-0x0000016642BD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads