hxxps://github[.]com/Z4ee/Pipsi-SR-Releases/releases/download/1[.]0[.]7/x64[.]rar

Analysis

max time kernel
42s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Z4ee/Pipsi-SR-Releases/releases/download/1.0.7/x64.rar

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625322897642792"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3784	msedge.exe
3784	msedge.exe
3632	identity_helper.exe
3632	identity_helper.exe
3028	chrome.exe
3028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3784	msedge.exe
3028	chrome.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 5096	3784	msedge.exe	82
PID 3784 wrote to memory of 5096	3784	msedge.exe	82
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 2956	3784	msedge.exe	83
PID 3784 wrote to memory of 3968	3784	msedge.exe	84
PID 3784 wrote to memory of 3968	3784	msedge.exe	84
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85
PID 3784 wrote to memory of 2252	3784	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Z4ee/Pipsi-SR-Releases/releases/download/1.0.7/x64.rar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e846f8,0x7ff8e7e84708,0x7ff8e7e84718
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1303877569371955170,6955120501338891224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:5316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8d5f9ab58,0x7ff8d5f9ab68,0x7ff8d5f9ab78
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:2
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5772
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff75435ae48,0x7ff75435ae58,0x7ff75435ae68
    3⤵
    PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4644 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5012 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4312 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4792 --field-trial-handle=1900,i,13228986976051643826,11122803617431586112,131072 /prefetch:1
  2⤵
  PID:5568

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\602b03c8-aa40-4878-aee5-b7af2ebe8bb1.tmp

Filesize
7KB

MD5
232e2aa2fe0fcaed9c9b939098858cd8

SHA1
0ffa89aa3885f6b6c5ec19d834b5c014df734e9b

SHA256
3b48cb7a4fcba33c77082aeeb9c42300eac6f3f946987eac16aa76d86046928f

SHA512
477853db1040b2bd82ce44f1a9069d232481788d9c2773c839b335b84bd54be3ebc672dddfcb63d4615c0c0ad55fb112868350ea2e1df9696411f4c52058ab3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
43b3b095458c6350a92bbf6f1c27c1a3

SHA1
8fe980354544908dc5f68aafbc271e30e41a1c50

SHA256
fdcca27aad2c110439e5d1ec54bd755285700b84f1227e59571a4a45522e8caa

SHA512
99667193b85aa128cd2a821f2b84021a928770b097b6e56267b673fa9994380b5023d19caabf6c9ecdc23dca1f8952b651c388641bbc91e61814296921ce7692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eee8ac73675b1ba2535740330768948c

SHA1
a87b8484b4b4517560ed07c04cf8b8ef0bc42277

SHA256
24cb7371c2ccd764b7e9a71508b4e51abad7f7f51a3ff7b36687651942960393

SHA512
37fd549ee2de38dbdfa24c927adde7a205cbf5bd62f9bfe5ebb7d84a348d7de8351cb10a4dd61517f1838b01af92e1bd11999ab87fcfc2e814a50903d0525f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
003702d995832614ca72f0e2b3cfee2e

SHA1
407db36825ec1a9fef3d73f275a2e0a8cff45f4a

SHA256
9d54ea9efec932c8fbbdbed0c4b667c5722bf70a42b6f299d811cb46fd419298

SHA512
598ae47d3297747fd8371b5cd4831fbc323e8d14b68bb9abe11e7670273b94c1ac28d4352cc409f96b3aa40988509943b14bca994c1c687362ae547e3ddef6c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89c6322da5b993540eff0220ca87fcf1

SHA1
4746a79298e169ca84756e58617acd343d8170df

SHA256
8a1a573f2972c7ac1d760bcdb248b914a5f46a121000b3a1929fc0ebbea4a59a

SHA512
7cd7b4b56c0eae23d8637c8c3c1be2a19f5e71ff42c9cfa8e15cdc7250cbc95950f6da2d558ae4fd01c15b0c59d3bdb9617cd2b885f64e3d9b1e02d9c103ebf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e46633027cad4f552ffd774bd237ff38

SHA1
2a8c06a723ac31bd983c8bf6a173550053192894

SHA256
c847f7ce3f93b923ac409cb85e81425ffa44d7e66bbd76b8aa9f41fd2bd6b861

SHA512
7f6f582c943f02af2d3f4dd2b08073a75726e0edde2f74466f0f96e4eb99990d2ccc00f5ed057cfbfca82635dc1569f5428e438fb88182aca9c65f78cb9d56b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fbb0c37025fa5f4866a27fd39f8af26a

SHA1
d8bc31e456f65a01eec432b6b54b8c1019f095c8

SHA256
f2565ae0cbc06504349c46922a6e0b201f82ffe6d33374ecae42c62ffa1cd538

SHA512
27e1d8f89b94fb1fa30eed8c902c65b354ca117bd2def8eab50a8584ad1ffa6358db90a00c198abf158acfa9b9bd61dfc359c41bff45dcc49642ccbee8d8e825

Download Submit