hxxps://discord[.]com/channels/1177432491611672699/1189418786441416834/1189425625971302500

Analysis

max time kernel
35s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/channels/1177432491611672699/1189418786441416834/1189425625971302500

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
5	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-771719357-2485960699-3367710044-1000\{3542F339-AA89-4605-86FF-1D74B28BFCC6}	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3496	msedge.exe
3496	msedge.exe
2060	msedge.exe
2060	msedge.exe
2416	msedge.exe
2416	msedge.exe
4144	identity_helper.exe
4144	identity_helper.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2060	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4132	2060	msedge.exe	80
PID 2060 wrote to memory of 4132	2060	msedge.exe	80
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 2212	2060	msedge.exe	82
PID 2060 wrote to memory of 3496	2060	msedge.exe	83
PID 2060 wrote to memory of 3496	2060	msedge.exe	83
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84
PID 2060 wrote to memory of 3076	2060	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/channels/1177432491611672699/1189418786441416834/1189425625971302500
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd519e46f8,0x7ffd519e4708,0x7ffd519e4718
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4184 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7616461127306542777,7493110224858035661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd3fd5ab58,0x7ffd3fd5ab68,0x7ffd3fd5ab78
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:2
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:8
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:8
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:8
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1984,i,1215712303724322809,17774862437259694806,131072 /prefetch:8
  2⤵
  PID:5508

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f30ba7f71b1c162e08a5e62fc728a1f7

SHA1
671c8b45117de397fbd1af542e95a7b633edc7db

SHA256
7b1d76f266623b6e7d62ab4737652608160102516faec68cca435107cc910d3c

SHA512
6a7b9bb8164efbb9111f70108064d580a71717f10d369cb37c205cbeef6ee465e9bea07cb3a0b02f2e892a46e2329b5bf19bac9ac6f3ab140ffb2044427b7a8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
51ddc6ab0343e2766dccaf14e80fbdd7

SHA1
a3a470f01f54beadc989cb7e1d66a52eb5e2dec7

SHA256
e56cb4691324183eadcf6173e975ab698dbf6407fbe54339fc92433320ecd866

SHA512
3f2dc5ca2476d3ffa83c73d277bb56161f362c5ca7f02a30978dbc343a1f8430b11713273c39c8457faa520337d826665264a5b389e5222e12b1d6a01bda7e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e6f38220dbfcc24086390bcadf7bb68b

SHA1
86be0c7a0f11986ed5928187d3bd35eec13296fb

SHA256
58708b45a00f8e296dcefebeb2f16a98389527740cf78e259cc0b96ec4296600

SHA512
d0accbd3742cb380dd296e18c1d68a0b1344b421c527a2ce1afc6c64010fe1533bbf3f9b8cd5f4028d92be7c4680e5f82f8fae15d073083229749d8d741c7941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
baccb4768ab4e5575e26401afeeea4dc

SHA1
25cf8c17ff5acf198684bac65bf50d91584ae7ed

SHA256
ce63b78a9489eac9c29f0b84ae0c1b75a3913a0b53c8a320e8f5d8108726071d

SHA512
bf85e65dc36c648bd8dc3c11a5da3204f722fccb1f4be353e13dfa252321996e21e9b5549c5c11a6d3cb39c16d0b2251fce351b25b7e9eba01d0a3c2e0d57b47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
3b037bf0d4c1d0aee6e959ed06d2f62f

SHA1
d7a60b171fbf24ad82ed8fee55e1a566766a2b75

SHA256
a4b4af4021a9fe89c40a30c103be4d895187578496c8c3b00598df1c0df62d2b

SHA512
24c886adf486de2c978e888ff6ba55a789c3cb0c55c06f8122e740838431dbb62453e684c2a171b76cbf2cf30704029d974c666850c61f010a7817e6c1b0313e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fbc957a83b42f65c351e04ce810c1c11

SHA1
78dcdf88beec5a9c112c145f239aefb1203d55ad

SHA256
7bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128

SHA512
efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5b6ff6669a863812dff3a9e76cb311e4

SHA1
355f7587ad1759634a95ae191b48b8dbaa2f1631

SHA256
c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906

SHA512
d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
156KB

MD5
3b0d96ed8113994f3d139088726cfecd

SHA1
1311abcea5f1922c31ea021c4b681b94aee18b23

SHA256
313818d6b177a70fbe715a5142d6221ac1a1851eff5a9f6df505670ddcd73074

SHA512
3d78c250029069e1850b1e302a6d8a5154f6e7bc5cd58f449b8824ccf418e80dba2d5569a9cff72f51ccc9de140dc91148f93ec4717f4a880e2ba94898fbdb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
456B

MD5
c644385ff33d87ce9df6297e4230e1a1

SHA1
3ba88cb7dd301abeca5f953e12c2b10cb44fb8c2

SHA256
be567357239caee41c93dd3f9813e885336cb91709e5b8909765151f200b98d2

SHA512
a0e6bacb53c0a76a94b8057c694a67316c69cb634bf1483e99ab2c10c9be7ec23f38f3bc05eadeeb3a2d3cc14d967ecccaa60f7dcb7a6be8cff787fd2015190b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
179B

MD5
c88a3bc77002a075b95198522f195432

SHA1
dd6ff073c9b7fa86d1a461013165a7251443e777

SHA256
8f8c6061b94669fcf151b9f8f1c979a33ad38d597be893f375bff44ad1b3556d

SHA512
e3facaf13afeab1a90a5c15f31288611e7af177fed3e4474aefee3560c5e1129579ea74857f5a3845b8f04c117e6c5af45c87df5d0b003e1259d918b7b0dff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c20b5882d46cd7c22cc1b4a55a5b7ee

SHA1
54391d384cbb4d462d6cf5cbd5ce9753d4bb8cc5

SHA256
b9308f03a80ceff51440a914162092c9df29589c409e01c475aec8afbd2144a2

SHA512
581a73c905295bc41601a29f105b72380dc01e99fd6150fb4ac19f01992b0a17ea68802dfb25b872935fb64b7cf2e8b0c3b5d9195aa2f1c040fe1f1f453e9137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d8b1e8f87c4fc6c9c6ae5489483b57f

SHA1
b754b16087bc86ceafdbcc7516b428de3f68fa94

SHA256
11fe47ca87129d3c5bb14157b3f95cceb5b196ea54a5cb7bb7cf0da8c0d079f8

SHA512
083dcd7aa54b245ece5d244a079a0c234181a056696400c765acf2b6a2a3477bab78c4175800b726e54d492bf8668fcc6d889fc2a047f63225d75dd847db360e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56802f0d105a4cbd1aac07ecfa030a7a

SHA1
641ac9bd6475f44216207099ef8f2519374bf438

SHA256
79c4506130f5f2e0b86bd932cc6f9520d6a6c5bd10d880a3d093f9d58c604dfe

SHA512
f222636933684982b70ce5fa28b2bee6702086a6c4c34ed9db73a9dc064bf5b7dd96de907f32fb787cf4d8b68ceec0e15f8620afbfa68ae1f2fb0bd07ddba019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
6cdab2b5402f0571e16cc094f971580c

SHA1
daa5a63b829c141f6ab5ce4b4dee06057356706d

SHA256
e4019c112869c7589290dd222a395ca6456358306cf6ab9cbc9e2bee4910d1a2

SHA512
939093dbbef2d2c376764a3ba0266a9fe830be1ca282d46849cee35ed8ecbd1e0f07a804eb923b68257b4202bb26fcb70ef5b2cc049cc6b3c270cdb7e99ab65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580932.TMP

Filesize
370B

MD5
2bb3660bebed0fc14b2e9e8176f898c6

SHA1
4119d22298698b3a7aa12c99a84a2a866b24e0e8

SHA256
6aad27df9bd0ee26044996ba456f6697a4ad5976a472dc0f401fb9320045a782

SHA512
4c796b0714b95af56a0893db26712a4edb3986f35b1d490cfffff2805c31fd18fb5979134ed267d498963af85ff85574c2c70d66d5a9517ef6f0d0479ca9161d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
717c5fddb80c44b3019bda27a2600595

SHA1
0a6204539ab31554aa94ead4230c91126ac9d0d7

SHA256
ae1fdb0f63cca49264ee509cc79003ed2f048889051b9f6b7763d3dcb391b847

SHA512
90ee61d0d03ac964e27365f67b2bf96863292f57743ffb209b17116cbc59bfdc5e3c0e6b15fbbd877c3189b4977518e21a930ca73b8742b8d8a5c0a564101f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca31bbdd53abc6d5cdc79c34af4f51d2

SHA1
88c45cbe706d8e29b14ed5c7b71bbada6018ed22

SHA256
4930bd8c77567f813168a3a40e3a348451b7dd9c74bd4a266db5f3c9c32a7f37

SHA512
a5d2af5ebcf259caa59c0e315ed7badd599e38571ec32d0b70589fdf79e6c46fec502612c7702bd9de2ecd86e7a89b2b5019c3729d80a917e7dfc3fbef3596f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a35f5e9867227961c0bc33fc789b647

SHA1
08bff3a371de3a06e7e8d0e2ca92a763cd996296

SHA256
fd2821da320ad580745702132636191ddd601aa3fd18e0e695fe8b9cf2c5e948

SHA512
e3cb2efa20266dedfedfb0be1ee66c4d5410c781e023c61a8764be7202e4ebb6afbf30e359cb2a0970a7361a127dc9862cb77b56deca6a8869174d1a27ee9b14

Download Submit