dc3885a6d719df87955bdb33a9e41bed998bac9d800d7ae2362ded6923b30f60

Resubmissions

08-10-2023 14:26

231008-rr89dafc45 1

02-11-2022 22:01

221102-1xp75aefdr 6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice.vbs
Size

3KB
MD5

36545facf925ffa371fec7578993de79
SHA1

5b3e6c6cbdd2e2e82da43a3fb312516d7ece2b2c
SHA256

a9e02a6c316b3d7659b48621015d504820337f1f88dd588b75597db95750d16e
SHA512

1d75496091ea53f1df89ef3b6034ffa3394eb00d2f8c9a2d3b2acc6d763c4864a56d1426d45a0b6bf50cd530edd04d577f424715d4d7945d2b12fce8a64c7132

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exechrome.exe

pid process

4860 msedge.exe
4860 msedge.exe
412 msedge.exe
412 msedge.exe
4168 identity_helper.exe
4168 identity_helper.exe
4312 chrome.exe
4312 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

pid	process
4860	msedge.exe
4860	msedge.exe
412	msedge.exe
412	msedge.exe
4168	identity_helper.exe
4168	identity_helper.exe
4312	chrome.exe
4312	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exechrome.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe
Token: SeShutdownPrivilege	4312	chrome.exe
Token: SeCreatePagefilePrivilege	4312	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exechrome.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exechrome.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 412 wrote to memory of 2500	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2500	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2580	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4860	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4860	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1948	412	msedge.exe	msedge.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice.vbs"
1⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff801a346f8,0x7ff801a34708,0x7ff801a34718
2⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
2⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
2⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
2⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
2⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1207515279779962798,5373080741492271825,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff801729758,0x7ff801729768,0x7ff801729778
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:2
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:8
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:1
2⤵
PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:1
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:8
2⤵
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4776 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:1
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1904,i,1158865502170203634,14661902067673499871,131072 /prefetch:8
2⤵
PID:316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
44cdaaab50d2aacd812d559470ee3c3d

SHA1
608100698846d93c7bb22db6c813c4f8f401b6ea

SHA256
9abc242ed7d9d33582a7f441d58df4ce824abcb773ba2e3ad3f8d5103546bdc1

SHA512
32efac866ad6c5dae80a63b402a2c46f6eda93d2e3bd3f56eae554fc6af72f86f68270db87cadacb785cf1978ad8483258f62b75456017317d9a5a2c87f22b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b45838f8cc47834cf677664db68a9081

SHA1
05d4f4040c6ca738f17cdd01cc5cbd7515a562b9

SHA256
b2b0d71d0ea96e1bd8e6836e1908a8bb2010ca32c2dd56a18b71ab070d323acf

SHA512
799aea1c15eeeae7c3d1a98ea5c9038d49cf980b46442a1459a640eb3202c02265d4961b8f69360475d759b97346c520ae61935ccf9b89e69870ee67edb5b4a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
102KB

MD5
093d829f24606fb6b2b3d523580bf963

SHA1
35731cd20ce5ff9599663ba49238675da49d537c

SHA256
e040ffea53eb740ec226a3714f2155c84690b1e9c09d5e6f46d9bfa8c4f61e32

SHA512
1ccbc5ab485cfbd4d1029feeacd3f766e99d7d618000735fa93460a65d834de045c77fa0db83d6d57ff7f988744735335d7b646970992438d7a7c84d7d8b226e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
83b3b75400b4a74c4c507543d988d383

SHA1
67b31b74711ee15605d063842dcda81c40b270db

SHA256
334c0ecb93a3eeaa8642ce0a74cdf5b48c14ffd884e0295d14eca4f26b83182c

SHA512
6fbe7e39432df0fdfe65795017cdae2cfe5e089a4739d0f059d090107b5f66b09e0e33e3393e4a400436ab3657924f0933e95241218383d39e6e0bdb4651d44d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cd7881f048e165dd056eb76574096408

SHA1
286d68637e94cfeab27a56eccf2eeaec1ef5134b

SHA256
c8b0a67f146659ca8acea8d43547f2f955d6f95c587df4f4cff61f730c7c3d0b

SHA512
918c0e8e5af32f17fbf28559e689fb3616648b8189ba82cb3d5386021f7ad31551d9929f861cd0956844de8ad86e7140ff2f7ed65c21d9560785e059005a1ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f9cdc91cb5459da84e0df9cb27aee86e

SHA1
d8c1f52b4d067690439c8a5a4f818405fa775d5c

SHA256
15aa306ce58c12009c15c5c755f82c023ee2be63f31f86b49c0ec4f6bfb77456

SHA512
1b997a7e9419888667f831753a6680422c547d79b74543a9e84b1904b48325bab4e2eea5c1f0d3346f606b5ad1c99006f50219843be912279e1ed70ce21eb382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5d8468c683d7ad9ad750c0e069addf77

SHA1
7f075c3864c46426963135bc1b560d266ef77d8e

SHA256
cc0ed21d2ef65c6726add1fae45be0b7a8d0362c70bf1a8b6ac0fc38b2e7662c

SHA512
af9ad6d52e5c8fe33263d3f3192a6d68324264c11d424444f39a3961e30a0365f0dc64e4654f73f4730200b22c07a7e25d3ab1641b01a8fab0d3f45e087ac57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
62d77164b3288dcfca2f5f801e36a39d

SHA1
3aff9633e43e67880620c729285ea9ad45e90e79

SHA256
a1a999b8ce7caa80eb0e8706295ee564a970aec1f1826d11bc2ad7ba0e758827

SHA512
a09142621486b3341dd788ecb8a76d95311fa01a8d7fa6fe66c51a769c0c606e9123d3bb4e05c9bac0fd3b7a1ceb7c0bff7a296f86c151a267ff661a47f0fa48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
05b88c4606fa8c53c2c45051a1eeb79b

SHA1
69ccbc86ef575cfee17ccbde1d334f2ab30980e0

SHA256
bb5901b3cf59560dc2c7331b7a6884ee8423d30a816bc3682de8b1bf6b46f6e4

SHA512
d3c0e132709e8428d23dff592b81819c32a28c0f49b99a007f83d1bbec7011e0fc42ab376909b2bdd2ce9523bc728b30522ecb13ab3ecfdea75d7f270aeef194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
fbc2b807c96b18cfa77c1de8cffaf969

SHA1
d3768433aba28d0a45e95d203b22f11861c5d24b

SHA256
632c6ef2d064e86d53e2a349fbfb2054cc2459a4e45393261ce9a4afe206b75b

SHA512
e909a264d0a6802659dcf54553dd9a178bcc7b7b1744c31b10148a6c7a0240e74b884a0c55bc0e96c902e9e89b3bd64fdffd13ad1afda74ccc32c4ce5931a134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
b09e8e43516341ac0067439fa61f587d

SHA1
4c9b4624bd41d95ff635a2871286fcd8a082096b

SHA256
25692219801788684ee57665ef7477df324c3f80b291513426980c1f77c58321

SHA512
a485fba11c8c325b63bc24498abe731a9d5764ebabfeba22a764501423f89752431900464682b94938f0c0074aa69d5c268abe6dfb52db43c18767e50f3593f6

Download Submit
\??\pipe\LOCAL\crashpad_412_KMSZIATXRSTERYLF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4312_WETRNVPSANSTPQOB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit