hxxps://discord[.]gg/nightcitycommunity

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.gg/nightcitycommunity

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
18	discord.com
20	discord.com
23	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{DBEB33E7-FB07-480D-BE0D-D1B3F0525646}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
3096	msedge.exe
3096	msedge.exe
1584	msedge.exe
1584	msedge.exe
2964	identity_helper.exe
2964	identity_helper.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4784	3096	msedge.exe	88
PID 3096 wrote to memory of 4784	3096	msedge.exe	88
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 4432	3096	msedge.exe	89
PID 3096 wrote to memory of 5052	3096	msedge.exe	90
PID 3096 wrote to memory of 5052	3096	msedge.exe	90
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91
PID 3096 wrote to memory of 892	3096	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/nightcitycommunity
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec15546f8,0x7ffec1554708,0x7ffec1554718
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16235532895955552062,5756296693771823193,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
34KB

MD5
02214b097305a8302b21e630fa201576

SHA1
90c2a31521803b73e847f7a3e0cfceec84df9fa5

SHA256
1d98076cfae6a0a8f0b0b1c654270b900de83e633cc01d98ef63e6a8e485a3f4

SHA512
553c81eb51880f83b9918aef766ff0f41170895b1cda2589f0b69c3d1362de8e8decf14a413f6b5df1fb7ce07fc939211407b29046188b37c290133c9d5e1cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
1.1MB

MD5
fcb3b79b4ee2a97d69020a59b8d5caee

SHA1
4c8c8dc00b8c71694cdadbfd1fe70358d34a0883

SHA256
36b4ec7a0ae8d3b2f907b88735287ffc68c0c35e472b3c8cc30f49f4387c9f8b

SHA512
7874b3e78d0c0ef2f1f2e417a989550208c20aab398ef9ec800104dc047ec3866863dbbeab379fdbda7643210b03e20d7305a5fb776df88bef72ad89023cb558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
106KB

MD5
190ba519974fd31baf71de8e1b595692

SHA1
2b8d1a7089db83ea57458fa72906f41d55490866

SHA256
77bcc90908adeec68be7e676e19f9f89feb7fd19b53da5aa9783c89ac7ef2b02

SHA512
f3e2bc4fcb43023aed14b49c35eed07f293c958e32018dd076b6d82c0e3f702a7b7dedf50b23be66b2f425e95ac9261e4210e9504aa882c766d4b5a67de0f069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
222KB

MD5
972187dbfb0ad07a8198bcafb5336894

SHA1
34b1a726f099fd1ec2beda6903d79dfc66252717

SHA256
eddf76fa6e0ef52870be71beb1d025cfd97c6f4135ce8da5b562d6f5f375ca2e

SHA512
9fa776e47f1be9b3c49838a0970695d2843623ef1a97cdf5bfb160eec49f79395b02ac3df2967575694ceef3b95e8d9af68627cdced626275377f7f3e5dcfec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
312a0af07378bea9ff949d6d3aa52000

SHA1
af5e4257c26b6b4610b03dd5070048ce6d5ead68

SHA256
ba5fae49ed010493a401ff54fd789952f461107bdddaafc91dfbe67064c4ba8d

SHA512
79374e242fcef6e6aaadd5feeddd84dcd985a190dd7e59dca41698796476910008e54bd3b732fcf92f4b5acea2176f4f9a729e4d94592fd65813057048bb249e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9afc426217f577f74e56bcc50a328e6d

SHA1
798459761cda08fcae358c7e42d1b45db9add5f9

SHA256
e12748a2baa7a5c31e6966babef2522b0560c2a57828ccd8745b52f34b2f4172

SHA512
d38e34e4ebf8f00c8544ab6d1486c12235cc02ff90f1a0906f3fdc3ddbc3357e890c9faa333dfec50eb025127fd5d2f0f87c04db0f5c8685e35f2cb913be3c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5693de687332efd3a80cbdc7aa693b6c

SHA1
f559bcb45bc26eeba6b4d1a7d6f7369a21e1600a

SHA256
953ae59861dce936716d8f7ca18395ab05b1d9de46be779d392b6c584b208396

SHA512
cc94ff4b31a6102bbaf99d1584cd31cdcd8526000440b95b5a330efc2a3b09d09feb1f133dbfe3ab606aa12339ec1c1855ef7aa0d8ac48ff6d9b2ab068f9c86a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
970B

MD5
848912996f4ab01162f45aab10e8c007

SHA1
7876b826126d3ac480a3c689c20facbb6f576a00

SHA256
2fab71998539268c6e344c4d829e958707643a5afe4b76ea569f5e50fe225bdc

SHA512
a231638d8810612ae642e6d53b6ed6e69ef8b4a5e240d3511e3b2e8c3945f12e533b0b40e92ccfc598c5cbb6827b8e900fe2e741d097fc463b623797ef62e684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
badb5d18d3195718332e2b0c6f879fbc

SHA1
44f98a173228c483d1f6f9df3116ef5ea350eb0b

SHA256
9255c726988da44a79ea22504147d29129e0e0ce72a637a6755999868eabacd1

SHA512
76b193db1207d1e1837830c7178f85ce84772df3e53993ac7ba5de0a1556ee79a827188d35cf17579bc0e7fc63d24729c28dd0a19cebf4c45db8437a7543939b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
33be3ab4712156204d357abdc50524e9

SHA1
e0342f4b0212714003f25a49980cdd142155c38e

SHA256
9e038b60158819dca94fbd4414dddadfc3af4ab9cfe4dffc6f8732f5ae4c9d94

SHA512
29e8b7739133a11ba48c387e79d9f6e22d8f5492e913bdfa983942716a3c7a0797bb9e4bc5f4329415f0a34133eafe008692955ce26858301a122e786b98a3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
425a9394de611cecc727abada8232025

SHA1
69156d14fbce7cdba9e17a60b8d77ec41cdef987

SHA256
06717434a03793ded57dd8c12c30507a67115dfa1f25c33a1b0e2f2a78bf9c74

SHA512
701d691c40037591af63353c52a68641dd6f296300c30f1802670c8a1fc17e20281433f4f17da48763abb5dd9debcd581d62f35846804ecc5d804ae04752c9b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6166a8ce4f478fa2a08c7ef52f2dabb8

SHA1
5f7a9df665871fee898a364b097d00fc7c221414

SHA256
38bb010b3c95dec135ac153b7adb1f44da1188752518fcbdc2180881c323df0a

SHA512
46d65edfa22f0062b120d9865ffc96fae5d763b78b9217b314cdb1c046f5442c60f298ef4521a2aaf561a45d66c11b83d7477ae328ae9ac1f4ac4bb4c44f7fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc29e3c2d544be3ae0d44119a6c73491

SHA1
09e38842ddc110fe1e0ab19043d4a4b703e0f291

SHA256
121c232b61454d7b5aa47f8cd1353ad04fd70b7829ae3cbcdc669fb712d83837

SHA512
ce4554407583bd9a5305d34b128819c9d0df875167b1753c2cfa3d705467d0087f4b669d8def44c3ff693d712ce1919eceba606a91a7c45852dbe84be273262f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d01cfb7751e8dc6eb57f586b2d6c716f

SHA1
e96e8d626eb16caed0a9b9d83f90d3d5fa2143d8

SHA256
7b347b8ec4341e8584135aeb7a097f8e94e4f9e5263e29d3d8c9c5fe463abcc4

SHA512
36b87df7cbdf28314d7c8b321f3d7858bf18feca763aa69447b8d5c687f52751a8674b03e74777237f4d103b438ce08b402393da37196d60aee78ce72afc165c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
ee17fbf82dd79eb80998ed1beb89e414

SHA1
44d6397aa13fa2099e7c509b966dd145e8719348

SHA256
1a39f6d6f4322c6aee6e01d3eeb2a50aaf64192704c62fa41ed38d606789f10f

SHA512
4be2d911532db68f1a7ae57952de37c18d507a5660f9c9737ce9943d423ec01e29ed126e362bd95fe882b2507b267dfc39ca791b5f296dc3f6b9f3de5deec3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d35fa9c8ef05ddcfc9711872d63dcb1e

SHA1
146125f9667001b57089bf050fb3c6ecf8bc4a45

SHA256
423fd37f48fb33442b755a152809dea5f1ae443ee2034214e28c354073220072

SHA512
daaa9a9333318be25c303d39fd2d3fda32495f142b78db0561ca98c5e20488c2d9b03af06268ee443c206fbd68f97eee340902a8f8534ce41e705e73bbdaae50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
797dcf0af2ea0d7b41c4ee8350a10ac4

SHA1
2c353d305b6d6498def7490b2685cf79e651863f

SHA256
b7a9263324322387ee7685eeaa12133893179e571aa3fc1a28c7028117b527de

SHA512
667dba7da2b4a043d3c1c68018b59e5fb9a10ea9dd6ed7a37ce0f94c21316755dc1b21f81670df02c4555c940ba766a29e39a581e39cd0a205c5109772f50e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15db086f5c669a68ce41415bb9143fb8

SHA1
cb3d6a90a44ad0c4abcc953eff2470596123f2a0

SHA256
9261e9c3e3198787e25d30c40bca297f74eaaa6371fa68ac53b7f439d4e43df1

SHA512
ee46adde08bd999014da49081cbb4e71bc4d6e6648426aabd306e1ed7e17f164d511e76389c6cbdaa0adfa6b38054b6905bb7989d6d55566ff82a2a8ad2a3b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d8f9313190ee6456b7859c028597054

SHA1
750347118cc9ef2ab3966a11f962a0bc241dc03e

SHA256
01aa83b4b0202d0927bac0fdf69ee304a7130aafa8e151af286298abae3cfddf

SHA512
1c9cea2c7239473e71219ea887484d0bee8fd5464921f7bc4b1ddad50f54843a5803d9ad7292eeea708f5deb21832f1ef842a356e08d7bc7898ea94d9476ca2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad667ae587b4611aeb05120580409d8a

SHA1
fa55d7f8df02345c348902a952c9281b1667884c

SHA256
0c9102e0b6d8fdfb56053e94203b04fcb8645d5f9a0a9764a54d880e78946e17

SHA512
b89997ee258bba13cd5807e2dd1aa819181f7c70152f1e864a7cfb5af83001a8880c69a50a3d4d35dd266d512d14bea7db5b3849cd0084b2583ad4536ce0a14a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac7e129a1ae960c80854052adf250a00

SHA1
b28fe1c59cd759606516b9701f49555a329c832b

SHA256
6104ef51e52c75d08a0dc03a9edaa85a2699025f5b7efac7ba81f3c753cae37c

SHA512
47a0c40bb3e3656c991d9381c1f9b98f902abeeb3ace0bf6bd60bb76263e27db6535ff7a9881c30f07e854662e4ade4bdf88edafd50f2248607b5614cc178181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c18542838f57104b8d3451b1ccbe5546

SHA1
7eb17b3f8a02ee5f2efe6fb9ba5dd449cf2fb668

SHA256
50d90b37a2df18be8c807cf3df1bba7e6da2e374040633e09ada35bd13b0d166

SHA512
02d8bbcfa39f27012ce577a5afccfa670bfbb9bcaa9cb97e578243316fe1d836b4d13ce0d34c536cf25802786b8eb99d13b3719241c6ad7891d72353efc776b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cf66.TMP

Filesize
537B

MD5
a52c736de98d31c26bfa32f6191b198b

SHA1
75274834a66adee722660ad59c3cd5d707a9cdc6

SHA256
c2e4529bfe499ddeff8aa631fe50861d85d691346e35100c5d0209225f8c4104

SHA512
da6fa2a526b404934117ed574dc0784ab6b9a08df6128c0980cabb9e5c8c0d95083e2d47bbefecade3ff45f037f9f808a7b2e4beb76f39fd9071caceed4dd994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c0fb11e1145f5c0df47719bb2408b304

SHA1
53686de6b16e1b053757da2afe13431cdd34574a

SHA256
3d5f16d0441b84449945f85c96072671243acba843ce807a5877c8110d22f119

SHA512
8b3fac8e3f3764b70b636a4884e4c8b03f43a412fd5532264e79e204b064277547495185faa5a5f1a946dcbc687a5e6eb2e6a0b9499a85dada8870237122ae59

Download Submit