hxxps://laptopmajstor[.]rs/wp-content/uploads/2020/07/Posta-Srbije-vozila[.]jpg?x59440

Analysis

max time kernel
210s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2023 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://laptopmajstor.rs/wp-content/uploads/2020/07/Posta-Srbije-vozila.jpg?x59440

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133344741573511559"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
1220	msedge.exe
1220	msedge.exe
972	identity_helper.exe
972	identity_helper.exe
5388	chrome.exe
5388	chrome.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
5520	chrome.exe
5520	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe
Token: SeShutdownPrivilege	5388	chrome.exe
Token: SeCreatePagefilePrivilege	5388	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe
5388	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1568	1220	msedge.exe	59
PID 1220 wrote to memory of 1568	1220	msedge.exe	59
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 820	1220	msedge.exe	83
PID 1220 wrote to memory of 624	1220	msedge.exe	84
PID 1220 wrote to memory of 624	1220	msedge.exe	84
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85
PID 1220 wrote to memory of 1700	1220	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://laptopmajstor.rs/wp-content/uploads/2020/07/Posta-Srbije-vozila.jpg?x59440
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdef2246f8,0x7ffdef224708,0x7ffdef224718
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4927560112289699951,13566825298260271302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffddc2f9758,0x7ffddc2f9768,0x7ffddc2f9778
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:2
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3828 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:8
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:8
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3976 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3264 --field-trial-handle=1936,i,6577291716698255836,16626653923104869315,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ab095626a4cc5066aeeb8a54b4683709

SHA1
cbd13bbadf2d6f052bdd2aa180d5aae99fc7bf71

SHA256
f44c1789e513792f7e54d1057c8a319d75c9356f8a8ac5985ce39501af82dc46

SHA512
cba0cbeed0760e41a000fa31533c5abd00615a98f956a92038213ec1e8475950348261cbf2b434bb19c722d731b3721d91fbe90a26a990c0cbde89eca571ca53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
749d3137a140c5fd92095c17fb50b24e

SHA1
cc9654f8d303b8d62a48dc1e1720013bd580e103

SHA256
0f9a2dfdab224c2f221de48123022665ae1f7c8499c80512fd1c92cee6e23509

SHA512
ccea9c159d562c31401de41032689c16792050c519817509ff734e235c30a140433598a6f3a1fade4de4bdca6b934ac55bf3ae581c9bfd74ea2e32edfe4ae257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03bd63272facb532ba86d545828909b3

SHA1
7b234a6f33113eab640808a1697111b285bc5e8d

SHA256
563b5528737bc47eb0c3b0957d8d51ed1939cfeb1f89c808316f650d73761834

SHA512
ddcb2d3471b30f9f2e3a0bf0a1207345ab44f7104d0dd3a6b822b335a63ec364c5950e6323fe46648fc9d81d2695ed37cd41703dd7c32b836716ce08260f6ecf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e62562c6b03c9604c8f76bf7ee25a881

SHA1
edcb05bf84e929455b107b7e7603632a2bb70c3a

SHA256
2cc981123b13da52e490f85d7cfa298a7a1a97fcf90f467c9b1339dae3afec36

SHA512
9eb7bd6032f315d9e8fa70dc80d6263c241954da0e3616a1cdc5f3e473bb34033d01e9003d05e4e493903c151ce1f41aee22b2327a2ed6237915303d7bf80d25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
71e86b826f8f734c83d4701cc5f5e2b4

SHA1
5e617234904f25f4828703a1d9a2ec779eb50d0a

SHA256
c8e1dfecb953be940678e407bc5aa04e866db28f011aa428b1cdbc2cb7ad29da

SHA512
a83b4a63c8a80237740f3ee252427c1c5f5460aefdd131cf3665d438c2b95f48f28b9d45065a30f57821d50ac80da108329b4a95e11fed42a538daec8c98430b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
be85a5aee25893d08338a1f5bca06361

SHA1
dbbaa127426c8df23c96c5aee7f7c5d2cbea3dcb

SHA256
aa851a12be44a6aebe4a21bb0ce58152c1b3b67ccfc148ae0df379b75b460522

SHA512
801259fc0e88cfc7015894997c9c02196df06d1902626e2aa231855028fe82dd3b03294add68ba2b5f6631ca664822e31d7efb45ac17fd1ea6933d2f844be058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
9908c9b70ed6a54fae7fc7473a6215fc

SHA1
05a6064f83029d108c88e9c0c4a870af4dceb9f3

SHA256
73070630f0d9dbc0639fffbca8486e7cff9e0cf09f7c4de635dedc4771a92952

SHA512
497f637a133d2c24a4c6100502c526421e1d0d91b2074f294cfb439af1635fbd743495873c3bb2908790139daed60ae2848a7bed4411bde7008edf4488ab6666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c401901016ede50bba091985b11e997

SHA1
1b4f70f867b1c9bbc99635c127c6c1c0d6575ecf

SHA256
15750750edf600ff446ef178f998c1e179b32ae9d98827a30536cba9f3c81a3f

SHA512
a0e7a17a42586c924dc818238037b7753d47609890bb3736bbf1438dc54b057141b6df6acc4273983371180c42ce5ad1df40cd1549c1d310994bf5f2c66d4f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
228b394a721bf20783308e938eaed2f1

SHA1
862398763ede24b91b35f982fbe80925cfb495b4

SHA256
ec672f20e823e8b71331431922f4c6dbd28beac5a2229fc6c7202245f2faef59

SHA512
0ef41a5fe6f5a834a995ab08d0d7ad0fc615bbee3471155899d75de3b08ae1954d1282e977d09f6e1415325139937f9a185bcb2eadc9c26ed245fefc0aba4f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e37e1df4911ff1c69be2f312ff47f8b6

SHA1
0f8aee81846c4963db9136212b2ca2ff160a0200

SHA256
f1238b7ecca0cabf448c197c9ca883392810d1fc0e2dee0252605995c1336ab2

SHA512
b297f8883c3412ab82c0f2a8a2b9e8e4ffbcbc851f50da2313581b61bdf4bc75e0d74672522b203b46adf76c4dca3d7cbbe1ba657f7538692ab8f5dc2bb2c02e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e62cc4051e1f8eaa0abda5d730a2496b

SHA1
d15346e40b196bc313cbfe5ac96b3c90b83345be

SHA256
ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb

SHA512
3e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
30ce10e2439c9227a9780d44f896a66f

SHA1
d62ffb51c753fd1ed96a262421d9bbc137f18041

SHA256
4e81465b2fdb6bcd406d1e3da96855729f0af7f83a85e256a8b54d476950a17f

SHA512
8f5466937a40c5ff29f414ab6c2cd96e67859bf06286f5d11338fc2a61ffad2bae9c7de73bd368e855168bfa9d2f6aea2416086ec0df193ee3785486d77070a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
523191156edcdb2e9eb150041364bfde

SHA1
c345053fc2b37d76df3f3e1034a009c8a075a230

SHA256
63a0a2ebf493fb5981f7dd2e02c89445b092c2144756bfd55c8c030f926a847e

SHA512
6dc4ae50e09fa98fccd47302b338c3884b55797f61aa0edf3c9376b2df9e85e7ab2eaadd84ab93df8f832a322de784f2a7e1b0df98ae3d440c59795da96a14fa

Download Submit