hxxps://bfosw[.]ca

Analysis

max time kernel
25s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bfosw.ca

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607879919315456"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3804	msedge.exe
3804	msedge.exe
1812	msedge.exe
1812	msedge.exe
2080	identity_helper.exe
2080	identity_helper.exe
2132	chrome.exe
2132	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
1812	msedge.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2996	1812	msedge.exe	83
PID 1812 wrote to memory of 2996	1812	msedge.exe	83
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 5048	1812	msedge.exe	84
PID 1812 wrote to memory of 3804	1812	msedge.exe	85
PID 1812 wrote to memory of 3804	1812	msedge.exe	85
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86
PID 1812 wrote to memory of 2240	1812	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bfosw.ca
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8030d46f8,0x7ff8030d4708,0x7ff8030d4718
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11633787057081012701,12390393513626063802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffff42cab58,0x7ffff42cab68,0x7ffff42cab78
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3916 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3544 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:8
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:8
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:8
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4860 --field-trial-handle=1920,i,10533883076537140923,6053446411995225634,131072 /prefetch:1
  2⤵
  PID:5592

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
1215da1fcbb910a809cdbdc3ed2236c2

SHA1
c4cb183e21188f19a39c9b5dd60fb46b40a5b94a

SHA256
d2f8392e8986b47d1605eab33c53790975c6d1709684400bf09a1f9ba0fcecb9

SHA512
bd270fccde3632e9b9bfb3185e96f86ba1d53b2114275a3388edda924d2ad9e4fd84b42ee6c6a525eb565e45412b9b53c2b03cdb7c6d386df0a03b8c5375f7e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
48fd982933bb29d1985d28b29869de63

SHA1
de71ce4fa170e7869c0f503dbb712bef689159c1

SHA256
4b3d3f13d65f6b6fbf2810bcffb253fb2e19de3afc06f679513fe138b54840a1

SHA512
bf967bcd6ec1137fd28f0a480db342ff86659acc0ae3cdf90c9d357135797292fdc4ae86e95b6b934eb7ef75c88043974f869ae9701606a63a973ccd4c0d1c8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
57bf307b98a9887b05a6e2365313cd98

SHA1
017de7572779090594d9833cbd130288a282abe6

SHA256
a9c2c4af062f8e8dca6e9c7256fd453aae3471a4c00e3bbe09429c11b0ff13b2

SHA512
c9fe741e8f264f51348183898ce02e6789d2b524d4fdaa92f5d2efc96de9073c8036227c77cc5cd754f3238bf23be71aa6be6a72d7916279945e0ebabef9a5cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
a71f21913c938a354f6d5fb6433bcea8

SHA1
516d24d160b05628ae15250943ae602c0dc94ac1

SHA256
55a01451689bb105c6f1a3a1a0702bc5b52657835367185772a4f8410fd4cc7b

SHA512
a0089053939e130b0ca98422223e7ee98ddf64eb83a1018135363cb716bf57be9d9273c53f8cb428aaf0d184384234d0e76479ad7f496c8f74d574bfde96cb9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
432B

MD5
dc5fbde79e03afc34783132b29f3ddbc

SHA1
a08da02207795ad87d8c356b6cbe8e601fd550e3

SHA256
825878d5c730e1afffde80e9ad1b4c1559408efbb24fea58506eb0d971a1f799

SHA512
7efec3d0dc29f5fc159be259bd271e29752f655d82a02e4446c76f75029e43fd0386a8ff0d3bb0e991ba3a4d4c04b20a56564580d554d5f8a332d913987ae69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00949d0fb451eadb27215441253a30c9

SHA1
d4b67aafd0efa26768b4eaf11e752c04e4fa5afa

SHA256
fdbff3cae3d246047e9f719a72b55042871b81ff121114da2a274bb20caea9ea

SHA512
fc174ce46ec6e39253480d068de0a4ae1d3f6cf62d899ba3e97089f67749ac63b57af88aaaf94199afa01df7c0d2abe20b6da5f69856617aa0b75c29ba16ce0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df95c1818622452b95f52d3ab350b3f3

SHA1
9bbef2ef911959df7f0c29c9f2ae6601e06a0f5e

SHA256
2657127bcb7ae92dc88e64d609393bc62f156d070126c6251904e512b5efc017

SHA512
9d69b2a655d7694f6d0d0ddf7f975c8929745171f9d0e299f4d477a4797d385c1a1848fadb4bdb098adb281802045a88be3a7458ee2c1cbb2c85adf093ab4149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78fabf09837bd0b861573cc51fe58705

SHA1
583df4a0bd6312d40f6e0f29c5d76303b6bc866c

SHA256
9ad15dac8d267a42d234a5cb1472e3b19c951b28b2e32fc5c3c2e6d9cb5d0766

SHA512
7013fee84aac07cc8c0e18e663f7f5b61a9b0e673d060dcef58b81ab2bbf0d3ca9aabed5bcb8ad7d727ea1e69326a36bbf41cc1cc7a39590a6824ea33608d2ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0cdda69d4ba2fa412dd3ff230a6a00ad

SHA1
6adf7d89451bf4327c7ebc9fc57b069cdec0c3b6

SHA256
c941e8b43a287ac996936fbe6b502e5d11623b2e76b9214600338b91c391a499

SHA512
d01b99b6494ee3d9cd0a1079da3d0075b2f2d82a9a8c024947972acf7c38560dac5fdc04b0f93ff1b10f8f24aa4313654445b3edd04be8381bbd863474ab5ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09908a7525d6c70cd17853f21efabfdf

SHA1
cf001c292c53cccb6079ea9318102287b7d76a82

SHA256
7e57b32b99fcf7896365d841f13bcaf92dc27dbca56c5460bab5965c7fd3b732

SHA512
1512603c0f8745ae39f3edd111c97746950e432d7cd795b6aa9b510d02200191b91b49206ffd3410d3ca69fa9ef50d14ad94ddf74e7934d202e7a65eb0a5386e

Download Submit