hxxps://discord[.]com/api/oauth2/authorize?client_id=1236722400872103967&redirect_uri=http%3A%2F%2F185[.]253[.]54[.]158%3A9999%2F&response_type=code&scope=identify%20guilds[.]join&state=%7B%22guildId%22%3A%221244410735937716275%22%2C%22clientId%22%3A%221236722400872103967%22%7D

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/api/oauth2/authorize?client_id=1236722400872103967&redirect_uri=http%3A%2F%2F185.253.54.158%3A9999%2F&response_type=code&scope=identify%20guilds.join&state=%7B%22guildId%22%3A%221244410735937716275%22%2C%22clientId%22%3A%221236722400872103967%22%7D

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	discord.com
12	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616897217968038"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{04FE6D6E-C4DE-4B3B-8E36-CC039F84FFE0}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2720	msedge.exe
2720	msedge.exe
2196	msedge.exe
2196	msedge.exe
4720	msedge.exe
4720	msedge.exe
4912	identity_helper.exe
4912	identity_helper.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4972	chrome.exe
4972	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2136	2196	msedge.exe	83
PID 2196 wrote to memory of 2136	2196	msedge.exe	83
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 3268	2196	msedge.exe	84
PID 2196 wrote to memory of 2720	2196	msedge.exe	85
PID 2196 wrote to memory of 2720	2196	msedge.exe	85
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86
PID 2196 wrote to memory of 4000	2196	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/api/oauth2/authorize?client_id=1236722400872103967&redirect_uri=http%3A%2F%2F185.253.54.158%3A9999%2F&response_type=code&scope=identify%20guilds.join&state=%7B%22guildId%22%3A%221244410735937716275%22%2C%22clientId%22%3A%221236722400872103967%22%7D
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0aba46f8,0x7fff0aba4708,0x7fff0aba4718
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,12084684365783564181,2291604990666257732,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3368 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff0a85ab58,0x7fff0a85ab68,0x7fff0a85ab78
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:2
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4072 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1916,i,13621542829889914463,18354922566304549633,131072 /prefetch:8
  2⤵
  PID:4284

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7825493c1048e6c4bf69f63ea85817d0

SHA1
6e793268fcb94c63feca130dfc68c6a2c9ecd69d

SHA256
136f75f3b6f4903878e094e0baf11312550c49b63bbf5d08cd6eb5efced3f760

SHA512
4f3f4d96883ccbd27fc70235f2a75b621c406276faac1f971fdaadaa40fb5f9bd54fb54bd4b7af016c8c08e4c8fe6486a2c7138d8cdeefc7dc173ecaa873211d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4292bb6aa9f1f4ec05ee025c6bad1b8f

SHA1
250a915364b6c0eace45e9fd9700cbae01d84ff9

SHA256
2a6ccefef5b310b77cd074c55f8db27b6e56d3629159c0f47cc78fc85a2dc193

SHA512
6fe5bb027fb7a1a1c162d07eb975e39fb61cee10ffc7d0f8e089566907820c4591370edb9d77f19f26aacb93152dcc57e17ebb8487789b08d4b314601e47b7e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
af6ec117605b90510f13e0eb8957d02b

SHA1
c0abd99e974c8bc65fafcf4c4cf595d24324f814

SHA256
1a4d8643d4e1b62945e8cb0b4ddbb843e7cf3411e202096e6930848d9b238fd3

SHA512
67d187180f6b9b91bc0df4323835c47b0c1a0433b576e9a36e8688e4720e52b68a958bfa3e4f3e44d9d4cbba4fb01a9ac61752118024bde4dc035fd50287d513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
5826ae26bfa793df29230a307355bd2d

SHA1
a87cdd8e3afa4e747a3cca089ed402104ed1b804

SHA256
46d27a9f3f8e69ac2cdab7c0a2ae3a71e2b9d6624af87a15d0491900e94488d1

SHA512
aa0be8eef3cff5f4cc8df73f4108e27a7a0d2bea46c113fb13b195607a21527acd08b0991d1153d5c41189df50d691a62f79954ecd45fceae6e50d5a7a87a8ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
9f1f337209afe32955b945d8627967ca

SHA1
bd0270579e22b6293bb2b710c1cef8860f7759c5

SHA256
1a50bbc924ffb252cdc9a96644dfadc74e6768aca740a838ca9b07e1c5fc1035

SHA512
85472a3afb6311e4b05fc65bfe6d8f8c960098c8fe5a590bffe7be5419a64e52e1dc4a18ce64587a52f5f8fed200fb279d59adba6003a7363973ab2a189d3f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
7ba57a700508ebf917fe8814b5296c4e

SHA1
4625fef9420e688aa73d711db87472a96a1d63b8

SHA256
09076ef705c05306653c1c15f1372fb597d7d97cfd5972838a2f55c91217e3fb

SHA512
61840e70951b4f1bf5ed4fb4f2a26a0c296c7431e58061578eb3d44b5a18881ea088523ae1b50f7e6945ec2872179c179a560ed90526df1a29ae8430d461fc9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
468B

MD5
7e1acdedc4fa69f63b992af42a56c1d4

SHA1
6ae6233c45c1a98defc25420ae0063c4490d5a2d

SHA256
1906127cebb997c2bdeacb48c949c041c4caa5e2222c53e4e62785cc3d18826c

SHA512
84cd47fcc8630d0d46a031a9b17a6ff8fd4b023fcf1e60d98cdb189d7d936569d35cf653fd795a25d379bd9a7a0f247978cdaceb52b6601a8a2257f5a84f4fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
616B

MD5
3778b76976815fda2f97e04bb1cb92b6

SHA1
56ebbaa0dece8e63209cf46921b2c596510096c9

SHA256
6f604269268f1da77ba597c261bf0287ca8d977fd3e5268de5d3248ff647cf4d

SHA512
64698f4f2592a6ded2d49a8d8b37d89753c457ec42bcaa55117cd6401523e45cc47a9e205516441339fb50119feaecd20733ab6600127ee79e3377b9d63fcebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb21cdc8206765a5d6202501d0924029

SHA1
91d9efeaeea4e86bba5d38e01e485ebe385ebbef

SHA256
db756dca53cfb672735616c99d4ae1861aef30f2ef784a63a69e787d0a10157f

SHA512
3a7e575f1610fca354e1b56beec44f3df20724158da4850a850b7daf67f17fdeca7ac25026bb71cec4510637af0bd3035755fb90a34ee4df0431e0b48c8cfc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eeec57a900486d7765e3cfd318b89ddd

SHA1
8f130c6ad8c13d57a9ff7bf2126191237a17f6e6

SHA256
9b3766cc0f7a95b5695a29b4d4b0a827a81710076653d0f09e543833725d793f

SHA512
cbb32aafec289f058f2eaf27c00d55962d0541add60202f0a8ae1a7a8d3e21de0dbaae0ad04a17fa7f5fec6769ffd68a0653cbe470d4818931f6093bd51c3443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd5214404c2fe92c6463b2fd82a403c1

SHA1
e221d2e0ac0abfbeafe9c98613a3d33c1fe20b22

SHA256
f55a300f73c6d2acf7553baeb37a60077174545d23454ac91e3c4c9d04ce08d3

SHA512
9c030e39961ca0feb3ac212c26a981c7ef3b6baefb6c99ae5ee6b863a048b75c9a762eed53b5efbdc74257e989e85e0c270b763471ad943a43a5aa83dc2c9efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc96fbd9ce707b5d83b887f9abfabcb8

SHA1
971b69da54966e6835a9c594200c5fc43b3d8c78

SHA256
e6f5787f2de3b302d11a2eaee316a42cb70e874920c9f7f8b5b59c03fae964cd

SHA512
97444cb0e7ad9def4a77327248843bde5b47a3550cff2d74f5a33853361f42e519583e24d06de1f02438a3f679bd4433397e894a576fa2829aaff0db33f5276f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
de00555d6e3e62b4be7fa82a9167b3a4

SHA1
770942e71a9f61370276e2abccaae21e4ed73df4

SHA256
37b7fa1fbb0c657bb65666e980e4d0b814af5a7cb75938aaabf64596b5e79df5

SHA512
d7ba8724edc552b39bf2cd735e594af351304a5b9a1e130312181371fcf75dfc7307b53df57b8f4a4e7d106e9e5d74043d8addb30050bfd6ff7ba0a97f80484e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c23fc180e1c6061866eab902676657b7

SHA1
1294eeb63a5c718b0c3b3aa0b65f10caf89ad823

SHA256
90981108afc39ed631b146aedba4b2b080cd88cce623e0ee0fc69dae466edd63

SHA512
05532413a0cf1ede0e581c3f8c3dd90481ecfbba305e57c137196c522d9296d2dfddcfd94c799a7329e35e24d6a35b7dda22a404fb112147ef5319c1a9787c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f74396f3ec8e5adae75ebaf64553a98

SHA1
8eaba16cec394898a0c2cc73d764a10da453116f

SHA256
ea63fd8ef3a74793640dba1874003b42ae87483e0dd541cbac6d3956822a242a

SHA512
b024122b796bd64247496680956e8d6579f6c442cbecbef3ef4e299da913980ce7882611f4f55df35af3aa7ed9939bf8e1ced6de25208e732876bf391d91e055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
2b4c72d8618e72275f13ee0c2fb33658

SHA1
6162593782aebdc34ed9353b2d2b2aecfe74b84c

SHA256
bdbd752540dd374117d79542aac2ac75766542a3377ba994ba5d5d335c14a0f2

SHA512
cfc55cfe408f0c9d252e93826b3ab335c53c0e0bb5e4521d1f4ac3e6f98945a64d8e3cc83055b6129c8018ce0dc6df3f631f4e59e627aea63d44215151aa0f0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4b0dc8cd225d8adc5a5ffb5d5189ddc

SHA1
f1b8d668bde96ccdff406a9c6f8d4d68d89fd0f4

SHA256
d8f3aed14835308fb850a089332710577947087d5fd7f83207185597991a1de1

SHA512
1cd9fe9278d236d4761605746ff3316642a41ed4451ba714785a16136edcc4db0bc33e33ea9e326a4edd1947dd05bed753ed7200203d1b7f45bf5d31cd109069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58243c.TMP

Filesize
370B

MD5
68a329b95702ea9c7fb35c760699ccd8

SHA1
637a7304fc9fb87eba5fe9430c80c0022b6567bf

SHA256
539a093b7d47b5b5e241bd81412d1b19c77927d9d12086787eec3c8a05db0dfb

SHA512
d3af4095ebf4cdb2da48fb769695240d92f88e4359a32dbaf49c9903476a9b41e88504088313e7cbd0599b22c5ada3139c867be6eff84a82071f6386d8e0f1c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f7d78b73c8705a394a0ed2ebe9094bf5

SHA1
03e0d10a6a24e5310ba27ddacd41922bbd0e5d46

SHA256
e043366b9bbae2b78252f6bbbcd2c67e949f6e5798de8685ecdade6920ce557f

SHA512
4c6d6c61f5752363a13323c42fd96096ed8047d184024e6e8ce024b140585fde95f97544338b24f4c6364ee34ced2a2d5a74664d7107178a1dcd92747468e42d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f8cfb08cd27bb278fa752256ddc757d7

SHA1
38dd4354d749333d8c797bab611fbc694d5e49e4

SHA256
0875cc4f0f9a11749f72e4c25c46431e3d89a4f0878ea7af17889392e94ed332

SHA512
e4d41f03ce60072c3d5a7398db79787fc663d2eabd5cbd0164ea35d8fbe05b57b54df267c05473743817cfc39da09376569449ca0e33db1d3aba514419a7d67a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit