hxxp://msedge[.]b[.]tlu[.]dl[.]delivery[.]mp[.]microsoft[.]com/filestreamingservice/files/31e601a4-fc62-4f8c-a2e0-504db186136c?P1=1688799998&P2=404&P3=2&P4=cDOIaI3uDAet1xLRdJlwPCFQQYDLOvs0N3QAcGgbykyWt5OLNoON1VbSJWbOohRYhNhWpH/ybwGKfis3fDBAqw==msedge

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/31e601a4-fc62-4f8c-a2e0-504db186136c?P1=1688799998&P2=404&P3=2&P4=cDOIaI3uDAet1xLRdJlwPCFQQYDLOvs0N3QAcGgbykyWt5OLNoON1VbSJWbOohRYhNhWpH/ybwGKfis3fDBAqw==msedge

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31043293"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31043293"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c440f8ddaed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000929439ee50e204ba4f4b605da59efba0000000002000000000010660000000100002000000039d5b8e3d9c812d49e459129cc1393facb954e054a09f7dec1505bedabb8c552000000000e8000000002000020000000ab3907d95b8706dbfce23d4617397ed97f46dbe2b48fe7cf4bbf11a26aab98d020000000155292440649bdb1418d9d5c98f505a7be465ad419434d4605346625c52488cb400000001569f01b574c6a5b7e0b5387b2025ae6db3ec076fb80a5723213be6c6896c8ddc06774f96e64a9d598e241f0b4fa1a86605ac206e1f76bce45b8efbe23d02fd1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395284577"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4148677100"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502949f8ddaed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000929439ee50e204ba4f4b605da59efba00000000020000000000106600000001000020000000b589f470e3da8481d9fdc77e7d7a42abcc247a4a26ec5f92e341fd55414eedf1000000000e800000000200002000000036b0ca6fc1ef822abc7d4b2f2a1feee5c3da953f2b9a6a35b628a8dbf3aa223c20000000d7e37b65a4a00d4bacaedff08b89eb971aba0da582a50788db6fa10a2a72ab47400000001de4d07ad89f4a5111f5463b3d2d07158a3f029c3e3f6f7840163d9da2a189e19439d9038eccb3170b3f7970d52cc893eb453645ed9b0b82d5fd68245ebe434b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{220AEDD7-1AD1-11EE-AF72-CE28E34818EB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4136646057"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31043293"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4136646057"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2308	iexplore.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2308	iexplore.exe
2308	iexplore.exe
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1564	2308	iexplore.exe	80
PID 2308 wrote to memory of 1564	2308	iexplore.exe	80
PID 2308 wrote to memory of 1564	2308	iexplore.exe	80
PID 4376 wrote to memory of 4404	4376	chrome.exe	85
PID 4376 wrote to memory of 4404	4376	chrome.exe	85
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 940	4376	chrome.exe	91
PID 4376 wrote to memory of 540	4376	chrome.exe	87
PID 4376 wrote to memory of 540	4376	chrome.exe	87
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90
PID 4376 wrote to memory of 4992	4376	chrome.exe	90

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/31e601a4-fc62-4f8c-a2e0-504db186136c?P1=1688799998&P2=404&P3=2&P4=cDOIaI3uDAet1xLRdJlwPCFQQYDLOvs0N3QAcGgbykyWt5OLNoON1VbSJWbOohRYhNhWpH/ybwGKfis3fDBAqw==msedge
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff940489758,0x7ff940489768,0x7ff940489778
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:2
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3284 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4924 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=2140,i,9201821117748081761,11155448694029420682,131072 /prefetch:8
  2⤵
  PID:3860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
364d28921eea385d470b5e969af06469

SHA1
949cab06bb3ebe2caa288f741abf3cb207b39951

SHA256
b8627f41f839736bcce201a7813a4009a9da0540719d99cde05da343ed3bbdf4

SHA512
51a0c138891d73a477bf621db120312f1245b5b8825d072755c237e8dadba6b19eafb9b03b0d261b19b910542b3aa06d3d092926cfeceb3e9fa28929a3e7bede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
34361419f3e44da5aa86912a0f3cbc56

SHA1
80372db1717194ccc5ba3c15ab4b2995f2cf1318

SHA256
4646719bd610ae1c4619b5d1032caacaac95a225be4471c6ff4303df3ad7bf09

SHA512
32d942f432b188799243b264e74eb03debb77512d460744a271e7c016a3c7c7932f359603755d543644fc653cbd5685e17f8b64aae0d4889a2fefe9235d2f969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3677f1612661ea3b9730951cfa421875

SHA1
a115466957b9a49cbaf7dac3b6cb9e61e815046a

SHA256
f64de6f43b40da59f7f0d1c99f94bb49a809548efe933ea21ef7fcd651541fcc

SHA512
3b7069f99de925fa7e528b5a0ecb3c90798aa4cb9ee05f458b0996bc90b55f77373e384c80538556eeb671431156bfa0506be49cde2251be39995ba915a32a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
89e9bdff2a32a3df3c604643f97acf50

SHA1
6fc623e57bf440896e04c4630a837a8a9ef7d931

SHA256
afcb1af658dc2f1db0e11b30f547d91e152f69f9d613e52df8cf67bc4b796bee

SHA512
f21137e6eed4f5c439cde00108ac77e15b8fb946553b10d67770b52c1b397d38ffd7f9ffc0cd02caeb865d5a6f39d5ccd541ba17587e7e74645881307205c6c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
675ad9d76b90283af0ab9a7cd8dd9490

SHA1
ca54440018c24c2441ff60eddad252a56ea6b7f0

SHA256
c9b14fd09bb36c7864da33d917aa4ce9e55d434373338c862adf8da39b025620

SHA512
944f047d43ff6a8ab069f7cf5d233d8cf9efcaad8b680dae59e08295ffdcefebb7ce185188d966d36ba2230ac76fa3d77f68d241ee5249e0baf118e020962e12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
90KB

MD5
931d290080f05126e20106dbcca35721

SHA1
042aa65ad525d982afc454643d654407dffd84ca

SHA256
d13167add55501665ee666ed0785835d661588de9e85c99f4a28212966a738cd

SHA512
2d240e2641d8a2d35bd1858d55426d7125fa7cdc0112130d924aa36ddc88d3efc9f1c2a6ba9b5710b9c855a5b5a177e91d05895d074536c2a0b6a301a85f636f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
e0fc2e5a01fa8f4fa694f38ef6861389

SHA1
c375d2c1c0d2a41f50565a92a93f24f79e90e604

SHA256
b5be824d19a45b74c0ab67c8e936d4cb2f49d32c2b496838deaa0383c9531d2b

SHA512
cb8f8a58c5205c012d70ca9a3b1d6e9f6c37b1f174c33b06e5f917ab0029244c15757b19c90cdf5b5f7cc85cc933bab6df74dc8cb5f186a140c7797e8eca6e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\Downloads\31e601a4-fc62-4f8c-a2e0-504db186136c.crdownload

Filesize
1.5MB

MD5
ca25c4e4c426c960f000cdb926a3c25a

SHA1
9f5c3fd026c870cea5492e8384a15962ab306a3a

SHA256
7724306525ec5d83c651a0f3273c3b102168b57461be4f214cf6e6d0736f3787

SHA512
fa7dea6bbc017faa3a80e449b4d62afd3c6a85b7e06c52ff0382d722ad7e4dc14fda1a182d83474ee168d9c5bd7596da20d853c680adbd1ad22b166ec1d035cb

Download Submit