hxxps://www[.]transferxl[.]com/download/08WN4V1zbZbc7

Analysis

max time kernel
83s
max time network
83s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.transferxl.com/download/08WN4V1zbZbc7

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592364905659624"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TransferXL-08WN4V1zbZbc7.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4944	msedge.exe
4944	msedge.exe
3124	msedge.exe
3124	msedge.exe
1608	identity_helper.exe
1608	identity_helper.exe
4108	msedge.exe
4108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4252	4220	chrome.exe	79
PID 4220 wrote to memory of 4252	4220	chrome.exe	79
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 2968	4220	chrome.exe	80
PID 4220 wrote to memory of 3640	4220	chrome.exe	81
PID 4220 wrote to memory of 3640	4220	chrome.exe	81
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82
PID 4220 wrote to memory of 2324	4220	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.transferxl.com/download/08WN4V1zbZbc7
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85e3acc40,0x7ff85e3acc4c,0x7ff85e3acc58
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,9381046858751905082,17959550017699153262,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,9381046858751905082,17959550017699153262,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,9381046858751905082,17959550017699153262,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,9381046858751905082,17959550017699153262,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,9381046858751905082,17959550017699153262,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4656,i,9381046858751905082,17959550017699153262,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4296,i,9381046858751905082,17959550017699153262,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3928

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Temp1_TransferXL-08WN4V1zbZbc7.zip\DUE INVOICE.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff848a13cb8,0x7ff848a13cc8,0x7ff848a13cd8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15341902501618428541,6798834105551281349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7ae9ea46-8f4f-4ea0-8432-6266b3e6304f.tmp

Filesize
9KB

MD5
8f6a762d4b3c391215d48b99e311c2dc

SHA1
310f6527310565438558de932706fa9fa9e6196e

SHA256
2344607604b98bf755b690880141c70a6ff911d1d577105b01d7cbf5ed3706cd

SHA512
331d4322a5a0c995ebe5d9ade6dccc6585cf93f4ff6e405434c62cfc3c4d195834466f4921bc5947eb8f767db0d4b781badea529cd265a06d3e4c4972de67ee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fa17ea72eca2b3617fab31898b576cbf

SHA1
3ba9ff7b347cd769eee33a467fc8ad1c918452ce

SHA256
698319867ddc10304d260e4f119dc4e70cbd2e6e38021cd86c68bbfd34a75696

SHA512
78510cef26aa176f30cebb5ead6d924a2357364517850d9de7aa31c17627d4c48e4b05eea080d1892948829cf04e41ba2ec44a5f9b39b45d0ee6a9455266fde0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
e7c13c5c55884abdd5d8978c741fae1e

SHA1
aaf6a843697ce097bad692ee1e5a0ae5984688c6

SHA256
888b26a589df31f66ec33f46c68e03e43b79604b826c2bc27f8003c0e2e45769

SHA512
790631fc4c45b769577cd0c833cb729aeabee3481145d11673149e35ac6687211e75b829312aa79078e71cefccabc0cdba58dc91979991bf69bf15293061b542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f341e136ba313b385aed5e05e32447e0

SHA1
eab81723b73a1ca65844d6435f599a1cceb7d2f1

SHA256
ca0fea8e2acbab8e927ca7b13dc5357a21aef6be183c3a7b2bdbd42b2c3fef57

SHA512
2fd257205e627a72a3554c8f4423197d6937a4c9f2b210949114e2bf0865138a0e4d1a3c6f243d2dbfbf652e005a21b5ecc3d2ab6ad6799d733d238610e05a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3f4b360336376650122fb31a4f8a9aef

SHA1
29909cfa040207bfa515d6f92756874ff31945b0

SHA256
958de875a83f255a9d4ecb4c5116206a3639c4b878280381ff902e071c55be9d

SHA512
8519d88235e505a50cb00db2aea8e678dc5475f955aa584763934a47584f8001ab70c48e6ceb1d05ad97a157b51b09f184072c359f6e9d28ebb8c9966e1e10d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4f2f26ff03be866ecf04e228606f23ee

SHA1
a77bc4ec9480b5601ee969bf2b4b632a0da1ad55

SHA256
185cd641cebb52ba1cbf60ff7ab720f6e2aefe6ef5c0caadf703e64694528e3c

SHA512
419ec1cd2303a9d22fb7c173f198048ad1bd81a5d6202e69845ed4c09a9f4df2b1289cd0435a17eb3914fb1d1bcf4835a9d2cb2930c17fab1414e3d3615c0241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
82a04ef91a5373881551db39b329c648

SHA1
20c0199968c24c33d00cd59d48ce0b21e35c8637

SHA256
0301ab3ee4b3c87ce37b4a1b317278335e40e1fad7931881303b35367b43062c

SHA512
78dfba77123038fa7fa172e5228d48ecc72c12127478b9f7eb19294bace20c6135261fc1689e54d2207e1d80ae460c31c4454ec2e0dc752eb104c69e8cad4aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
900f6deae4ebda29fece65ddca0522b6

SHA1
5ab7645bf5ae3d96de4eda22e21c8299bdd668c9

SHA256
ceb48cbc2a357f1eb088fba4d3c565446d3f108eaa30bba8825133a4dd47199c

SHA512
42bc976e9e7dd485f46ecb7ec474d6654a04dde04aca293782a8488b9aaa7f82fd57047cff58473b84f7b57fe1dd152211d35a3c705a762b889b1d60cf96824b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
5671dc12aef75271e8657071ac41bedb

SHA1
b3b6bc33358952a7c8213d62c18db11ec91c6a7f

SHA256
39ab62639f72b62121b29fed88bbc56514d5ca8e5d18816c66ea68ddc8853164

SHA512
0f1923ab73e547d7a4a2b0a6442ce7a736a916b6514d0a5cc8eacaeafb6bf22c32534a765b2c786c1e545d9b62b1a17e179ef9df991da2acc1bcca428aac2765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df271c9c6fbde6d2578eb61cef8fcda8

SHA1
4fcaa97772af7050ae3892115eda95a95148286b

SHA256
a9d185921e547ff5314328de96566e609140a9246c85c240e237a05a3cf0bfcc

SHA512
648ae020a74fe4de62b72756b7e4c08f21801a5db8e45bd98b495658ca5b259889d74a9674af47320f1ad085b2b319e21d242559c317ccec26de3186264ffd18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5980d4368728a55ebbadbdabb360884e

SHA1
f1899cf7386c4aba45cbe169b9d97205b913fda5

SHA256
7c64edc99d818c2ffd1721d2b794a5186a0f575653ecfb151eef95c1448901af

SHA512
e9997744507005e55017b2ba7205cf1fe9303eef67d172db9083dfe6abce080604e0858d2618d46f2d86aed69aba16fe07168150da0d84d84873702efc29fa5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2c69f0377dea1bd99bc0643ee0bdaf0d

SHA1
07a1bcec79d22fb9d7636cbb129bf0ca8bab8938

SHA256
21173edced3935d515f461f7de186b550bd0a587990500037ad6778d269da4a1

SHA512
6901c45febc51117952cfb7f33340bf8f2cdf671674280db79c6b8e64a9cdbb5de8ffcb32f3b9cb8540b7e5c8cbd324ad1e6a4d49d8cfc034f6c43c4f3265b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a8bde06142081e9d12f85639f136922

SHA1
dd5601addd231e8ce9edc30cab72d6a79c0733d9

SHA256
0d9edae355083195f18862a702a8bd35a17ffc0491f52bab5c89d27b4f854489

SHA512
e2f1e6cd858549911eeebfc170d0f661c0ef5941464e48c47e22d4b6c1046c0843d1a4783bd97d3385978bda729af6b535f6f308d2b9f98288008da3ddf95d0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
a1ca9d67845ad2b82032ae727eb50592

SHA1
428a1eff9f736d11835ddb96d96200d9d05108d3

SHA256
394f32f314713c92879bc9db3ad891758d24b3a2c8c5c1f92989bb713fa91dd3

SHA512
3ed631ba8282c7db2524b623c8a1ad4c3098f4291fa738cab925fbbe285fff9affa203e90a06437f54ba4fa576a4bfdf66d1deb46c6aa7cca8793de00448ef98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
cf412197d5875d46035851307870a49c

SHA1
60c4b8d9b335f5bc5689219295cc0acd33d8739b

SHA256
e3eaab93b578a5e3df371cb3fa9fd8a52e2af5697fcad3d490837a40fe71f912

SHA512
bcc7db63fcbb0e764fe7d416eda36c0c9601fc62265ef3d67eaf8c04fc1b9b64374399baa15a6081907977dee7cd192bd77d53d40fe173736b34ab69425181d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8b53ef336be1e3589ad68ef93bbe3a7

SHA1
dec5c310225cab7d871fe036a6ed0e7fc323cf56

SHA256
fe5c2fb328310d7621d8f5af5af142c9ce10c80f127c4ab63171738ad34749e1

SHA512
a9081a5a909d9608adfc2177d304950b700b654e397cf648ed90ecac8ac44b860b2cf55a6d65e4dfa84ef79811543abf7cb7f6368fd3914e138dfdd7a9c09537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e498afe43878690d3c18fab2dd375a5

SHA1
b53f3ccbfe03a300e6b76a7c453bacb8ca9e13bd

SHA256
beb39e9a246495e9dd2971224d23c511b565a72a6f02315c9f9bf1dcfae7df78

SHA512
3bf8a2dd797e7f41377267ad26bde717b5b3839b835fe7b196e748fec775ffd39346dba154bb5d8bda4e6568133daaa7fefa3a0d2a05e035c7210bb3c60041a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3bd1ea01-8711-4161-833a-d819ca5e7512.tmp

Filesize
5KB

MD5
0b56579384f656e8ce6597a940ef4453

SHA1
2c004e18bb31d68becadfedc18e230ad467db082

SHA256
ba86814524e6d41a1558b8b52eed6d82e7b768e2ce743d98953a811f84bcb118

SHA512
78f5c5f1ff020ad4f7c7d2ea3c6bc4d2a8305f2b8646dd5507d3050df18d08238c21c63c7ec8fc65fb7a3df4b3326c7551d19f3512261029d67acb691271b55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f7aa007aea906577efd47d4fb2a9d74d

SHA1
733a75bde43d6f8210b3bec38f9adff4b65a53b1

SHA256
d7d596cdfdf9e546d60298aa9f2c85776312e934ceb1ae0f17b21b50a997b0f8

SHA512
c50910720200055a702909873f8bf1db5b05a83260ebe3f7860208d7dfc0f85eea254db430fb088571584a8a019ec26f0d4e1e8fb9c3b02cbeae8a72502d0192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7338828e4903fb57e7f2cc1b2dab2e09

SHA1
e278550b06a104853d844975548d8d6ccd83d7eb

SHA256
6064735c97bdfc89377fe34667b2a4c63beb9cee073983f9da3845adebb6f7fa

SHA512
a995691621aa77c2e9e2c4bb1f559d01127a0fff3485e39eda819be2bf9d9c9184530d8ea2562a706870c4f54d5964721b535b301709ad808f4b5935df5b0307

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\TransferXL-08WN4V1zbZbc7.zip.crdownload

Filesize
503KB

MD5
1eee0099d01e16fa6c4f71a786c5fda3

SHA1
440825a9660b97f3ddacb6b05b4bde7bccfbfe1e

SHA256
25292b98f3e4077a330447ac5b0151c08edd7354edd3b0d94140e980bbf5c977

SHA512
768a655ecd580eee2e6b83360df964c3ce886bbb35f2b6c348567cc29cb916196c82ddb4e7ed5e91e78ab2e747da3a89c0d0228fec139c8fd9c9dfbd38cfbc7e

Download Submit
C:\Users\Admin\Downloads\TransferXL-08WN4V1zbZbc7.zip:Zone.Identifier

Filesize
496B

MD5
51d78166ffc154867b5a86a00f55a536

SHA1
fba3dd5801c61154fc069f264539be5387b1ae62

SHA256
3881cc4d08968ad77e5eb1ed4dd8147f51aad7b6e3c33c62a21b68eee8af583e

SHA512
d14fe08f9dbd4396c4b64d3e7af8696e85290a83bf2758702cc0a47c74f5ff97c47fa5a8f57c193980162afeaba2499dd149bbc3811b0b7fea5d77b97db6ecfd

Download Submit