Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/05/2025, 11:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/NebulaExplorer1/Discord-Token-Joiner
Resource
win11-20250502-en
General
-
Target
https://github.com/NebulaExplorer1/Discord-Token-Joiner
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1364510583419965530/DgB3uiidc5xSb85ebblakrcNqhIf6IBOQ5toLGbjTtdBz99vyyD5Slh7dc7CVahfXqJT
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Preview.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Preview.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Preview.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Preview.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Preview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Preview.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 168 discord.com 169 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Preview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Preview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Preview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Preview.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp msedge.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Preview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Preview.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Preview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Preview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Preview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Preview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Preview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Preview.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Preview.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Preview.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133920397287676006" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-330179853-1108322181-418488014-1000\{67F7C5AE-8AB7-480E-9128-5CA663ADD948} msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Discord-Token-Joiner-main.zip:Zone.Identifier msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 6104 Preview.exe Token: SeDebugPrivilege 3436 Preview.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe 5208 msedge.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 5208 msedge.exe 5208 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5208 wrote to memory of 5648 5208 msedge.exe 82 PID 5208 wrote to memory of 5648 5208 msedge.exe 82 PID 5208 wrote to memory of 4896 5208 msedge.exe 83 PID 5208 wrote to memory of 4896 5208 msedge.exe 83 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4320 5208 msedge.exe 84 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85 PID 5208 wrote to memory of 4272 5208 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NebulaExplorer1/Discord-Token-Joiner1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x348,0x7ff8630ff208,0x7ff8630ff214,0x7ff8630ff2202⤵PID:5648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1864,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:112⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:22⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1984,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:132⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3440,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4672,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5228 /prefetch:142⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5208,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:142⤵PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5840,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:142⤵PID:4504
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11403⤵PID:2168
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:142⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6008,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:142⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6008,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:142⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6164,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:12⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6208,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=6256 /prefetch:142⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6500,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:142⤵
- NTFS ADS
PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6736,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:12⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6896,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:142⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6508,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=6932 /prefetch:12⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=7320,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=7328 /prefetch:12⤵PID:812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7488,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=7188 /prefetch:142⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:142⤵PID:356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7192,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:142⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6184,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:4696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6596,i,17752106249875763809,15042969796643046622,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:142⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:768
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4000
-
C:\Users\Admin\Downloads\Discord-Token-Joiner-main\Discord-Token-Joiner-main\Preview.exe"C:\Users\Admin\Downloads\Discord-Token-Joiner-main\Discord-Token-Joiner-main\Preview.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:6104
-
C:\Users\Admin\Downloads\Discord-Token-Joiner-main\Discord-Token-Joiner-main\Preview.exe"C:\Users\Admin\Downloads\Discord-Token-Joiner-main\Discord-Token-Joiner-main\Preview.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3436
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5abed9e3e2618edc08b0b4a9bf347482b
SHA14b8e21f266a1b3861e89185599ab6b265e0c308b
SHA256c1db9209bc374a2f86cd95b7346b358838349df213bbf2e5a06533baaa399d8b
SHA51211ac46f03cb60b91cc665ca07d95cef83b62e58ef3e2c0e57aad330a2f44ddffcc94b6bc031f690502171ae756869ec4b1c8cfd689529ed13915f42ea2cc1bc5
-
Filesize
29KB
MD52428c363ad3ee3460afa681a8a830b3f
SHA1146b483b4ef4b471cb4cadd8988049f5920d8f09
SHA256214df30aec64c20ce7d6b1ad37902b1c1029ac41b63439de98140ccba78d3a09
SHA5125150521c5b1934c4e9086d687e2c016b1c7be7096f52f0d1e10b83ce0d0d6ec0a4d2a101382e63a9ec9db0b2d9557f35e3523ad15e2db28472ab1deee654f69e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize7KB
MD5011f9d7c8d15b2f9c7d8ab7ac636ab86
SHA1a7b815d6cd9b4f6cc6ff140c90319949f4db07a4
SHA256642efa92e602b66e2a37078f7eea35984b2c1e09a838c761e00803ba32a28aae
SHA512035dbba074a94c3b86f5773dffb319d29ad6be5f9a122d07fad81016108ef28b972822e61690a815d75265bc82c43e8c9c11fa0aaacf54b3c0b7d79ab0cfd055
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe583285.TMP
Filesize3KB
MD5f5fe2635bfa3259b75be3e10769ecce3
SHA193863c0e45541a1f4142de86473b7de4e8d8c415
SHA256955f71b8adedb09706c02f36219584e69485e3757cb470b215cec88e9eabc7f2
SHA51253e633e3e7cd2c3e46b1f5e77cf00f15bbe68622370f2e2210294e4982621b496feb1e3038a2805b730fb55370a1cb49b891a50aaa860fb7cf53a16344c0ce86
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
19KB
MD5545edb1abe5f4d13a47a2ab2eb2f9ee6
SHA124d857c70ac53ca440f3941a119ea10c7d9fa7f0
SHA25625b904d07cf379b7f89f2b687fb1dac231bc7c3c660f0e2b4fc2f0bbba7d70fb
SHA5125b1a1e28894cdbdcefa43677ed7e21111f0eb4da4d684aa6fc05cd48dad32964d10d1929d48ae9215993466242b49566f9bda1e5e8e9fc1ab982174871e90d38
-
Filesize
17KB
MD590c96561588a20be2f7d06d64e1b7be5
SHA1717bb4e6e5b3b067da5bc146d7ac9415459522e3
SHA256fa0798047a8926dfd63455805e97b67e5d6c9bd00106a98a52b6089628270ad5
SHA512e3d054b3c6cea82e18f2da9b0f8423a5bc122c723b9bf4313b3a6ec7dea6a69a76b234b8e75d36fd0eca13244c331c9a937aadcced3c963a391d90ec589cfdcd
-
Filesize
37KB
MD5f0fd4fa2dc178d4b11b5cd3f74999982
SHA18350835bc2928d8a1b2d21823ed303f49b7cb9be
SHA25649eb2a91aa2456b600a596f5806ebd75c3d2edbdf042a3f5637c010e5e9386d0
SHA5123dd4e21a82f6b1d0f3dc6c237a5930c7a62f1c0d4ffde9f93c04df48c55e4a54cdbc15f1d10be16497e2c084c334bdc677fb236af972853316a4ebf50b3f4173
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\37432495-bf01-4d2e-8f20-5346491b28d5\index-dir\the-real-index
Filesize72B
MD5447c7fa19922558d8e6559eb556840f9
SHA19bd096c3f86a417776ba286e39d3112ab086203d
SHA256774c8a4ce08b7e456e8fd0a2346b3e8d875e82f32df91098fc612a2bcc224db5
SHA5121854753669e76e4b1bc6cd5a81d1c2674de1390b431f429c55fc9fd6bd4e2e2ca94621c76b666e39b19c981e2af31cca2347f0eb8a22fb6b261f6e42f11a2997
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\37432495-bf01-4d2e-8f20-5346491b28d5\index-dir\the-real-index~RFe581cab.TMP
Filesize48B
MD5ebc7a89228693a7b2abddd0c4cce74d0
SHA18832fae92765b028cc4e09db74c3d3b3622de898
SHA25624138fda8a437bfb51f7a042e7c09190ffa2ecf17f7ca3a47347fe9f3339de55
SHA512ebffb58dc78f7224f458cb4c1477cb09762a7428a73d840dfbfb4ae590514441bf6940de9d88b30a556dd6b2bc48b6303f479aa9fd5f33a6fb412592ddba58d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b69b8602-856b-4bf3-bf8a-d58b434d1f77\index-dir\the-real-index
Filesize72B
MD50cb92e1fa3774b377aa5df066063b5a1
SHA13a1dce3a1a70167c2a7683dd23938f78865cd2c3
SHA2566f4b04721cf1f8ca1846494a085b15d4720201c9354f0acab80318f18b510612
SHA51288ae0fe07e1e29853961807350d9650867ecb315d3c922e9bde6658aa427be8d23585f0ad8335968a31c48f942e4e871fee28739da6b68314b67e64aec03685a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b69b8602-856b-4bf3-bf8a-d58b434d1f77\index-dir\the-real-index~RFe5820a2.TMP
Filesize72B
MD57243a30e898ce4a0603f019cd7db5ffe
SHA16383c493aed8ef63f156b8aaefb5e0e67a621665
SHA256f8d86587d283b73f68ee28993768cbcc36a4a98694415a059be6055cf6f0b6c8
SHA512154e44ecb2bd255b18ebbc7df9d39c3a705531f1662e85b7af267c897b8f90d6a1aa725d1e6d9b47d660978ee802ccb6d3987ba43bb6d490e37279152ea81461
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\e819d3d5-3d8b-4ca1-9eb8-9b0a32b9b2c6\index-dir\the-real-index
Filesize2KB
MD548dcdbf7dd7175dedbccef215098b1d7
SHA13567ec03cfff28193093407af06136243d671d45
SHA25646a96f1ddc49c95b98edf7566621761614cc41d42f3a6607399e0fb5f2d51256
SHA512cc1f92eb5083a3915ba57cf432cd7ea6d631a3055632e9aeb38f89103e9b2b06863efb52d5c833276f18f7cada16892708c7aae80cccdbcec2919ea3ee5d4c01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\e819d3d5-3d8b-4ca1-9eb8-9b0a32b9b2c6\index-dir\the-real-index~RFe583822.TMP
Filesize2KB
MD53b944bb2b58f2f4c3015b3b4a68d5d38
SHA1929f341968a09119d456b45c7371e724fb59a894
SHA25634dda2aa7fda6bcc7e65846cdd2403a090283ba892ecfc146e4a55da0cc6aea3
SHA512e66cac91464aa3521f09698659c3e9f1c4f0993d02a04673aea7eb08e3b85a03af218d5b10b3f530865f35517c9f15dd6f25bdecaa069fde5ea13bede9c24acc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize320B
MD55477b69bb3137baea9aa0eb5e19722b9
SHA1f1b44177da6a3a270be8dbcd72648aa65a661d5f
SHA256524eac81bab35c71ad69273795d5736a2d037af34df1cdf66fe62491889bedb3
SHA5123835d6e5915fba8e0a50e19df402bde401b4585f629f426eb1c446b55cc3647616e2135c9166a7a0e1f35e5e30f7eefb4064f603e369a57ab30cfd0fdded3b2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize325B
MD5b433eeb2d746272cd117d76362f98111
SHA1b719791d8bdfd4674979c78b31800f435d8408a5
SHA256de63dc1479d16e70d3a97847c18be3e5bab7c50fd17070c620d556ce94c493ab
SHA512d1f9e666af7a3401485a7ef96d537ed1353a46f6535d569de08a678dd8a6dc126d49851409152a8c7b4f430f9f6fedc2d659f34fceb6950019373e97bccce0c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5108a6796721069be385b8c377826c843
SHA15357fc734338f62eb62ef48ee0a52c9da2fdecb9
SHA2567202c4ae8cfe63bcc000c6f424b172aa11d647a026f4bc42b4d2aa0e426ce27c
SHA51219aa77b628f63119d0070e7af62ace583f60aec0e3277202fd69a3abb8edc1d733cd7f567821cf102c30317a7f48c83a6244543f1ea073c724ce4d4e169e4541
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58338e.TMP
Filesize72B
MD5bf25c13715750d2854f80611d02ff000
SHA1a1040af254194d8838a5efce000bb1af47477f23
SHA2560b386c8e5f1de5bdc36f3b00e4ed4da87ee6623c7ced88257fad22e8071499e6
SHA512f06e702d4960774ba836e8a9dad6ecc7d6bb6ea94ff7882a97fb75713cf731e2d61c7907ada08c5032ba9cbe03d9fb253f6cd1b52839f7dbf42fe25806033201
-
Filesize
22KB
MD5b4d66b46e37f7b05bdd9655ef874773f
SHA13b650d494957ac668f942519f9c8898091458708
SHA256e1673dd677343d194d245ff14943441fed9b13bd3836b134fa99bc8ab2aeb985
SHA512d2567cd3561e979bfcb7e7e26a7219eed7d438522710c9e937926b6073691d98d8b9d4e51ba692e8ea20fb349dc599d21916bc58b0e01780391d7aff1d8bc8a8
-
Filesize
460B
MD53d7c92f2525a883671a5ce91c78895bc
SHA1e1d4d8bbb3b156b0021948862467c28594b8537a
SHA25679b7ce7519f66758e6214942834bc48a34f907d77a1e7c0d97ca50de3cbec76d
SHA51218b01d64350375cc5f67eab4ca758eac9d36284782b7fafd6590d9389d749c8349fd0cc987c0f4d11194fdb80c1d45734f9404049b2d2af4dd7bc009939e5964
-
Filesize
49KB
MD599a77ca523d741640fc587737f60f700
SHA1bea373d339f1e40482460ed0e969153943d97826
SHA2567e0d1248056d639332bfd37097bfb9d34d6cbdf4266cfbc0d6244bede533e0df
SHA5127c2e701bacb6f1f9d49ffa02d50b6af5175b998848d340939c23d0da6789fe5f83ef081bb557bb5b3fe64d2fa4751231cf07dcd2c151e329461d995dc1b657ef
-
Filesize
40KB
MD5ee8be804b9f3b98e43598e5d0b0fd5aa
SHA1bbe74ea2e3a1905484d2ff0d46a27bcf60589169
SHA2566a44e4432af4d9dc996776cdcb5b0d12cbee78fbba7e72fea9f3af3386519a36
SHA51268ddf3030a8d6196eab993c2da6d8b1f16d17bb5a087ba53d8cf3c476bb5a61afecfc2b28c87c850b54cb0d14369ef734e60ffbc33dc983e0ab29d733ee0e191
-
Filesize
40KB
MD513447756d7707118cd3e40454b039e36
SHA1a82f9ab994ad0297eeb840bc993e3a051c0a445a
SHA256f9961e441ddd30712be94dde057c3d0f7857a04fc7c36a6ca677823f087eb34f
SHA5126147e78eb865f0a56dc21c18040110af21a18d8caf22eb211bcc5afe476b443d538eb27d91c788f0b24bf9cf438795a47a1a817cda3ceff61f274f653772d30a
-
Filesize
48KB
MD5ec7d80fcfd0fa5b695a79d168efebf16
SHA1b0f88a72905cf683ae4ce7e24dde8c7d955e2ad5
SHA2567667694ef1c6872d7b5b7f21d440d049bc13ade5964db98f1330c92f34a969e4
SHA51285dbb4ba730da3a30f56aa0af14661aad35eac19af4defc0e2c04060e48ef813abcfb24c78826c0274698b5402d36a4dc19b6ba43693a49f78ba5e6cff256a2b
-
Filesize
392B
MD53321f9d4c290462d69304b72b57b9a8c
SHA1aac457cf5ce9dd5a4014ac36c3a87cb43c7418be
SHA2560bbdeab5e430142bc987488390c846cc6dd4fe67009a863554b95aaf446761b0
SHA5121269bffc1929ab3d1cacec90c8b678e532d2f9a1a68ac024386d07679d364b50f0a7b9e2c9e98e5d1023c2dc330ac8f0cf5c1fce01969e446ab840e813e41bc8
-
Filesize
392B
MD508efc73d5aa9a9728e9f709e2992093e
SHA12ba99ae10364245d01b2d2808989cbfcb411a5eb
SHA256e3c7f8abb8a145c32cd675295afc4ed8d21930deb05e51c9c991e374205eb26f
SHA512661f175763a7610b9d3c8687725e31899d15d4d8ec9a1150ba5205affc70e3de2ffc6c0abaa059b8a58c8ae79fd050ce5eccfd52f36799aa5761382a50951f00
-
Filesize
49KB
MD5ef453447fff54a7f1f5c6de7096f50d5
SHA12c8ab99bd2eae835ebde618921602ac0545cf53d
SHA25646f5a7bba652de1b52b2acb879a3480ed422138db615d76d37fbf9d587c27988
SHA512edc22648296c40a7c2fc9a0419de5c6d2c59b3781438217388f62d9650ae030841066d5b03f981b256c1c79e82efdfda517862cb2131ca2e35b4f98e2dbfcbc7
-
Filesize
392B
MD5648b82c6efdf2fd7a769f38cac71facf
SHA1f183def5d810a4ceb90b645bc870e16611ec50cd
SHA25654c29f0e1ed7c6700e9fd990f87d416ee5a51ca734218dd25a41c8ee5854c75b
SHA5129c7a45171ce075ef6e979032b0fd3bf231355c09376d0386b7b84470f6afcecf8da142c6100635db0e1a7f7578f0779ac54c69b7e3ebbd370e44abb14a74cc1a
-
Filesize
20KB
MD547dc005b37cef0c8bc773f16243b9416
SHA15c0c791e37d57d78cdad67cf85e34d6396eace50
SHA256fe3a812d32a1611690f53dbb642e720b314ff8793dc026a092b34c7e8eb58098
SHA512ba92852c7a2b5791eb1718d161b84dde864bc63e6b8da8cb49c67842dc84f5f37fa1e64459160e0000cc050733fc80aa29f120dbd678b5aed89ee449d2e28729
-
Filesize
189B
MD51eecb73f8da5d905bde995dedddc6360
SHA1b50d07ca7f0062da503f15061543df5efa13de0e
SHA2562d150d5140f00057476e98c6e2470580f538d97a493fe6556fa00f483da33dab
SHA512d3739fd52b64e0e54127ac4501043678779bfdce8bcf5b1e2380b031225ef52db05cbe275e20c04691dbe329070a76335c523961d0a11f3943a5068e6c6e852c