hxxps://www[.]youtube[.]com/redirect?event=channel_description&redir_token=QUFFLUhqbUk2Zkh4NU9KSE1oaEF1aERWLXdLNnpNdGZjZ3xBQ3Jtc0trYkUzdzl4Z1NIcjg1eHFxVnJtNmRyT0V5YWRveUN0RGUyMmdGNm5fR2dGSU9wZDNENXZYSE9TUGVsalpCRHBxX1lWUmRKanRKT21DcTlVS2phOG9xU1d5U05ES2ZCekFtSUVpVC14TVFrVWhsWFVONA&q=https%3A%2F%2Fquoo[.]eu%2FKWwD

Resubmissions

28/02/2024, 23:58

240228-31jkvsgf61 6

28/02/2024, 23:51

240228-3v64zagf95 6

08/06/2023, 16:26

230608-txye6sgg68 1

Analysis

max time kernel
600s
max time network
585s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=channel_description&redir_token=QUFFLUhqbUk2Zkh4NU9KSE1oaEF1aERWLXdLNnpNdGZjZ3xBQ3Jtc0trYkUzdzl4Z1NIcjg1eHFxVnJtNmRyT0V5YWRveUN0RGUyMmdGNm5fR2dGSU9wZDNENXZYSE9TUGVsalpCRHBxX1lWUmRKanRKT21DcTlVS2phOG9xU1d5U05ES2ZCekFtSUVpVC14TVFrVWhsWFVONA&q=https%3A%2F%2Fquoo.eu%2FKWwD

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
155	discord.com
57	discord.com
58	discord.com
59	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133536383412678061"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{416370EB-5BD4-41CB-A840-ABD8D89440AA}	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
3924	msedge.exe
3924	msedge.exe
1772	chrome.exe
1772	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3252	3924	msedge.exe	89
PID 3924 wrote to memory of 3252	3924	msedge.exe	89
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 5052	3924	msedge.exe	91
PID 3924 wrote to memory of 4388	3924	msedge.exe	90
PID 3924 wrote to memory of 4388	3924	msedge.exe	90
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92
PID 3924 wrote to memory of 4852	3924	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=channel_description&redir_token=QUFFLUhqbUk2Zkh4NU9KSE1oaEF1aERWLXdLNnpNdGZjZ3xBQ3Jtc0trYkUzdzl4Z1NIcjg1eHFxVnJtNmRyT0V5YWRveUN0RGUyMmdGNm5fR2dGSU9wZDNENXZYSE9TUGVsalpCRHBxX1lWUmRKanRKT21DcTlVS2phOG9xU1d5U05ES2ZCekFtSUVpVC14TVFrVWhsWFVONA&q=https%3A%2F%2Fquoo.eu%2FKWwD
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb867646f8,0x7ffb86764708,0x7ffb86764718
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,3363827361633128510,9214280248286933481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3363827361633128510,9214280248286933481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,3363827361633128510,9214280248286933481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3363827361633128510,9214280248286933481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3363827361633128510,9214280248286933481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb77aa9758,0x7ffb77aa9768,0x7ffb77aa9778
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:2
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5160 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5028 --field-trial-handle=1872,i,17419803824144205701,11911997780895853284,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x468
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6a6fdb2848322a85abd90afd5f29efd4

SHA1
e35e14eab07734b3e9ba497fd66ee760f54455c4

SHA256
24a89a2cd978aa4c4b6d01f19a14629e1eba1bacb003aac07361888623b7b421

SHA512
ecc7cf1ae3eca53f9f307f51fe1f23a01ee923ed69852ef3ff572509a54f4b11db3c3a05affe5e5742611fcb956051e7321057c0c64ab53e696b3e3d87ec337d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e72747d6d068eabef5014d7e3e5d7fbe

SHA1
9da44d8c704587c3494f5ed836f36a288e7177eb

SHA256
a52566831957ee1b05dad63838068459f7cb4d69bcd5c6058b20ae7638ec23a9

SHA512
89c2c1709394a9fe08af51383e76301598806a4614bd6fee03d1eb7171aa84db1caf7c148c042010a28e1f2de6cf23166bcb6fc651c0c55e68736b6c628ac698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cd6bf5680bba6222582f9b93caea404a

SHA1
48d2f0c00852b67182beca57ee4abe89a431c7ea

SHA256
b232abda5259ce0d78bd457e01ee76eb5f1331b455da899ed840a7a30f430225

SHA512
7624396dd0e1331b002e92c4c1f04668948b2ba99bfae4b007592907579a8841f32e3e793d123c6c182ed8f6b4fc880f5cb01c73be8f0903f76a5e8be9fb7db6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c6817287391ab3d11450f41e38d9cc7d

SHA1
fd1c4e85bcd42f853b3a511cdc95ba06f2a1b65b

SHA256
42706175c10cb1432c84020e760bd2ea93c60a725403c3aeafee88a512084e85

SHA512
e721671b8cd09b4b8da5b616ad446d2cea77af3afdaadcd281f965f48befeef31ac907fe90fd3e28e2628f6079efea7431eca2dc159f89214ce81e6ad8ef1515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b8b34c53e8288c312587b0ef61d7e677

SHA1
4f3ca6ab168021a6141214578fed4e3b10ab3789

SHA256
2f5c153185991c9e6a37d1d41705d30191628dd954268b6d5ef491e7627300a7

SHA512
72b09785c752554308bbc6e71ad71a0ba3a1d5439051e196446c471af34ee7e5c899f61f9433d10561e87cf98aeaa3da8c506031e0b9d70ef8f648850a06bfa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4d036c60db67ab722a75c1dd77a0baaa

SHA1
bbe62155bdc98d7951205591c071f1209ee91ffc

SHA256
fc70d0a4eb00796b2794b5878f29c58fbe3201d914d6ea609e260182fcfe66fe

SHA512
70506a71b0e74216e22703a29458d32e20448372998919a7996ce2ba204399ec818fb9657a64b96316a87f4847120660da7ae0ed0305f687833ffc2c4034cae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
864B

MD5
59b00dac672c7828d065e2e4f49462d3

SHA1
bca2179ba6ca0c2039f2bfe1d0d796bdf4323622

SHA256
e06f4c370763280b81d0e4563a6838de3fea67bc0a82394c59a493dc8ef6b4fe

SHA512
8f4f3f851195e2e19373e1cedfeabe7450239c08d179839abde658fee5a1534d6c6964bae865d115dd319cc14889b9afc2461a75f977c058628333e08e9c0c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2a83ae650de4fa964311bf59a9cb4e71

SHA1
6aa2ceadeee14b25f0fcb7587b1b95cf60f4db52

SHA256
4ebb2efb36fd4078c2a28291a3ce2dcbcfbb4b1fd990d6fe5c8daec334467141

SHA512
afeb1c55cfabc9594b24530830c208c399dfb7466ca49a1f173eb4ce1981c2108a866ce602c1f06711aa8619fbc118c0c5fa141075c6e7e4a784eb752069e13b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
312b5b10bbe3b7b81809714fda41d384

SHA1
8056359ba5da4f247e503c51af8ac38332e3cad0

SHA256
f9d604e539e884ab78065f3a596018e75bb3bb82c6a07ace2d3402a004139ff5

SHA512
5212a79463d46feb2c6400a965a6a261c0caf15b689030d9b8a73f9c8d9c9bff04e62991278628d6f9f6a8cc5895a0881c491ac716bf945bd48202a99e2a266b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
16d1238a53545cc47c8abf2d95401aef

SHA1
2731968bc9d26c1aaad27e2d64c9f2e301598343

SHA256
8e0965f6207c078f2a711a49a9429f631764268ddffd7d83a4be26230f59a947

SHA512
4a426ce9ad5c72c68621975a85eb77e1a9b13fc0bc4daad7c9e0aa21e4e370898808262931359326d84f4845986ae9e2569f7f217f287b2363e5f52e46852ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
425d2aead4b887b3ad15f89ece0d3d24

SHA1
ff3653e3b4907dbd94959412ed4c2255b827457d

SHA256
39267b190141326aee6cacf0ea32bdc41aa1edd3c941ed1649b2b908923d9d5b

SHA512
555902a3191e35f3786f94d7cedbcb0c957eb79ed9400955e6abd95858d311a0dfff1c28bd07d049fc53eab9b61fef56501aeb62a0c68537b26ad23d514f5e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6eef6eb01e3882188e49b8fd647b8eab

SHA1
fa20ebf9aa8291132dc2d89f667b39c99b817b1b

SHA256
22acebb49d1b013506932b38728b15c1614ebc3336ab2fff819d442b819e07c7

SHA512
ac64641cf2cec5b4910ffee3f827e4f92b6919c976878ac8eabb3975d564e197f6cb64019da2f29d4ab06d2654e77075ed4563677350c17f81c6700d29466960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c40a6b7ff7c58f87e9f6dd6c078aa823

SHA1
c5b4c831cbb9f33286d3765f8df1cd8c46908f6a

SHA256
10e4ccd8724f1225dacfb13569f407706ae3458b673c4fdab31bd87b154abac8

SHA512
ef05d3115597078b7e95c7427fb798b0171b7af46d0f82aab91ccf3a852e1fc4f2102b1664359347faf3d18d958fe9a6affe0014e3e1e906d914d65889a9dc21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c22ad9efbc075d2a7610545ba8ef3070

SHA1
409ab612baf3b3cd18082d3a1535b93a4d33d9c2

SHA256
f19b3c8bf56cb1ecbea4abd760c6a77f93527235fdf2e61c82ad6c0cfab1556c

SHA512
8b611cad56754f54f9e306f0ac091176e6c3eb7c4677ee0819db3490ba0491f1cc73268f6af7142443945b491201681fbe072bacc82a63bacf77b502ad331b13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
396c7ba421ee3e5d32371e8428b5438b

SHA1
4001805ce5e0a2163df261f9e1b5d981e1a3b09d

SHA256
9da4ff898204df4e4d2f78f6d97a654f1ca2b0dbdcb8838418eaa6a66f3c2944

SHA512
0a938bdf08e69ba6b531b3fe9b228ef07a2e0b3ad755feaa0a0d4f0dce932fb4064e961c2b1587db96631bbb4aa4d4b6b4c47f21ae98d6ca9847153bb297e706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
588B

MD5
2ccb2a1afb3cc5456919ff7299c72781

SHA1
f46e0bf9ec2154f72c711fe31c875d10a6c9367e

SHA256
4eb299e459eff985597fbe8a0344e9c5f292d2066b27fd3b62ddfe9e9f331420

SHA512
9a5eeb11725f561fd197eddbe42e49df92a393b8f00fa5d337b94b7dec3ec291f655c35b5c44f002b2a1a4061447e20eea70b26e13d88fe715882a248cdaf76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
098dca65813a0c8c76d7c205b77b8c48

SHA1
a4d8a9e7cfe376d7ebef1d11c655e7d9d8a5fcc2

SHA256
4d0edb6061f62bf44028588b8fc70bb5defdbe095fe372118c655b89f8ee89d6

SHA512
d04e195539676b45378b88d34adf1255f4af2dbfd810f00624442e504c67bbc04b50bbdbcf6a6b877e1040934c2fe0593cfeb00bfc0a676b182b477ab8bc5880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c3c0fc7cc16a99489eb0db287e172b0

SHA1
7d046120dd0a781b5e5e05207a607ceb5ef02173

SHA256
0a92f548fe8aafa940397b8bc42316fdc32dacec8ea92c5ae736b0737eaaa55f

SHA512
c621eb8d9569ba1fe20090c36fb7b652d7afbc7bf341bcda18816da137daad73122ef7f68126ed4524f71886eb2d8c911d01083817e707e8a6e0bbe94b84b433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c22681a07166407b2d77065684df120

SHA1
98acccc71f5bc380c2904548cd3da0e6ebf3bad0

SHA256
2aee6c02b51cd35503f76c175ac074ec5d7b1ea02400f26bcc4d1d88b116174f

SHA512
bafd0676bfe6c2b39ae1b2771fb446479d4f956beb18d7b348deaaa97d0e32cc6203789bfed25c6d5d4040e8e1f85ff484415c579a3a6f4ce87955b954743724

Download Submit