hxxps://cwitss-my[.]sharepoint[.]com/[:]o[:]/g/personal/nblake_curtisswright_asia/EnXpOthGKcVGmNzstkbUkXwBGD1HvpFIyzOezsAC44UylA?e=5[:]tsodqE&at=9&xsdata=MDV8MDJ8bWVsb255Lm1pbm5pY2tAdm9sdm8uY29tfGQyZjllZTNhMGRkMjRkZWNmN2M5MDhkYzhhYjcxY2Q1fGYyNTQ5M2FlMWM5ODQxZDc4YTMzMGJlNzVmNWZlNjAzfDB8MHw2Mzg1Mzc3NjY1NDQ2NTcxMDd8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=S2hsaHJzSmlhMmtxdUhISEFDdnBnY3p4cFI1b25zc29TVnREemxxejYyUT0=

Resubmissions

12-06-2024 14:27

240612-rsnn3asarr 8

12-06-2024 14:24

240612-rqzcsasamn 8

12-06-2024 14:21

240612-rn7w5syakd 8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cwitss-my.sharepoint.com/:o:/g/personal/nblake_curtisswright_asia/EnXpOthGKcVGmNzstkbUkXwBGD1HvpFIyzOezsAC44UylA?e=5:tsodqE&at=9&xsdata=MDV8MDJ8bWVsb255Lm1pbm5pY2tAdm9sdm8uY29tfGQyZjllZTNhMGRkMjRkZWNmN2M5MDhkYzhhYjcxY2Q1fGYyNTQ5M2FlMWM5ODQxZDc4YTMzMGJlNzVmNWZlNjAzfDB8MHw2Mzg1Mzc3NjY1NDQ2NTcxMDd8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=S2hsaHJzSmlhMmtxdUhISEFDdnBnY3p4cFI1b25zc29TVnREemxxejYyUT0=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exemsedge.exemsedge.exechrome.exe

pid process

628 chrome.exe
628 chrome.exe
5484 msedge.exe
5484 msedge.exe
5964 msedge.exe
5964 msedge.exe
5816 chrome.exe
5816 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exemsedge.exe

pid process

628 chrome.exe
628 chrome.exe
628 chrome.exe
628 chrome.exe
5964 msedge.exe
5964 msedge.exe
5964 msedge.exe
5964 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe
Token: SeShutdownPrivilege	628	chrome.exe
Token: SeCreatePagefilePrivilege	628	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 628 wrote to memory of 3740	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 3740	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 2140	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1020	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1020	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 5012	628	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cwitss-my.sharepoint.com/:o:/g/personal/nblake_curtisswright_asia/EnXpOthGKcVGmNzstkbUkXwBGD1HvpFIyzOezsAC44UylA?e=5:tsodqE&at=9&xsdata=MDV8MDJ8bWVsb255Lm1pbm5pY2tAdm9sdm8uY29tfGQyZjllZTNhMGRkMjRkZWNmN2M5MDhkYzhhYjcxY2Q1fGYyNTQ5M2FlMWM5ODQxZDc4YTMzMGJlNzVmNWZlNjAzfDB8MHw2Mzg1Mzc3NjY1NDQ2NTcxMDd8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=S2hsaHJzSmlhMmtxdUhISEFDdnBnY3p4cFI1b25zc29TVnREemxxejYyUT0=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdab77ab58,0x7ffdab77ab68,0x7ffdab77ab78
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:2
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:8
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:1
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:1
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:8
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:8
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4544 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:1
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:8
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4720 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3044 --field-trial-handle=1868,i,3639218139426070274,3290662531113956033,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5816

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd9c9246f8,0x7ffd9c924708,0x7ffd9c924718
2⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12858257945635618119,12299351360743219321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
2⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,12858257945635618119,12299351360743219321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,12858257945635618119,12299351360743219321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
2⤵
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12858257945635618119,12299351360743219321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
2⤵
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12858257945635618119,12299351360743219321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12858257945635618119,12299351360743219321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
2⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12858257945635618119,12299351360743219321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
2⤵
PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
53c9687f487cc17c00ccc0fc2b56c188

SHA1
3eead5db0bd71b45d054c7addb3b8ccfe57e8da2

SHA256
6e329d7a51ad578935a92066c2fc27e235082dda8cd797961a9aab4afa65d7fa

SHA512
55b5eb2f8b3fee820fd92e2c6a61805ca383610cccb0b19a73be38cc158e0e81044a27d813e6b4e68a10a2c15104ffa7509e7b33e14751dd144301ed0c5e7cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
84fdc253b7cb6a0f346ac2dcb06fadec

SHA1
39ee872da90d593c25949059e6b930233fb0d76e

SHA256
36942e76526db54c009f22d808d86fd366b026e359fc77c7b144e4eb2b6879f1

SHA512
2fe808b6e710fb33cf1d94b7fbf54c05e81d31979524d5f77084fea585817f7c1efaac956e18488684b0c152f7b810f7b89263020075e4dd6d77a10ee588f96e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
986c8d674006bcfc157f2819f251f18a

SHA1
fbadc43b27f902c6a30eff00c6f4ba77e93e1b9a

SHA256
de198fb23892d14c4eb5a3b02c5719b109e12fb042d88c58a0e6d7a2ec5ae281

SHA512
69e4a38f71dcd0d54a81502f680fefdce7bf63caa2440d8ac8da2242010cc044d478cb2f68b27eafba73c3e98910a9811b67d5309d6fec864b9ebaf096e5774f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
92a0121bb67e82ef5ea6511647cdd88d

SHA1
694a281d1638134822ecaa5354ec06e87b30fa05

SHA256
bb93fc16dc2441c7e4c8959854cd4053cce03d026429449ae77e1896ead394de

SHA512
2d0b88969fc146ad258a1e566c30331625456433e0656ba186854c320e71c8214f57f058150c8a43c5a3dc1b55ad399e55c4681de169c0b0dc17a4ce056892b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
689B

MD5
006ad4bd28e58d841c1316dfd38ce628

SHA1
6e553af5886eab35682c2f61fbb77cf6a9ed48fc

SHA256
fc3824bb27300aac13c99ab9b8a6badd300a922a4c40ed56970c39baa75d498a

SHA512
7eaf4a0174d476fa202bce80a11445e3bef9693ef2c3b09d8b6850023be572ef2539174ec7611cae09a4268c8f380825e6cb3338d130b1e13c1256110e44b4e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
25f72f61be5610395ccf59288bde75b0

SHA1
37b703d9d598c9780d8f484c2114ced6cdc667a6

SHA256
c27596291a04e11f09b14978e7326be55127bddbb2662eff5f9393b608803fee

SHA512
520911a121f827b1cc41c51e0b96954240cc0a98214d11a9d61b20bfc96cfcd689f93032ec8b19990b5b20743075958edc12628a61b70480d7f7f7473f6d20e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e1277aad0a76bb4dbc1cd7b09663d6f3

SHA1
84523751da13d4ee0dbebc9a2f4a85032cac9a1d

SHA256
c0090b259c37a44d394833789e9d1fa6765187865a1046f171549379466cf395

SHA512
f90bec02586f02f1abc5f7d8ba4d03f237f5ddc23f13f7c87a3191443b1b7c44cf704910488a2768267425d7e0cc92c62442c34d49b74bdfb3029be0d357491e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
bd84cb9695021044467bfdaf90a4dfa7

SHA1
a67f707e855fedd47a88d54b9060113c20c5d2db

SHA256
1413f9e94a17fbf0fd66fb92dd4f5148fd125e37e29efa513f62dd17b2b57c12

SHA512
6e2e608140457341a12df8139f19fb6eecce244e9009b08d962fd66d6c80d697cd969064b5a02242f82da21a52d062d8754032f73f57bb108d0b859072b9d28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c136d3ef6b9cf73e5e18b2e28fe02322

SHA1
c0154a793207495255a248efe02ad463981d994f

SHA256
e6f1d1214a708aecb99dd5bce88a23af7d7647ffbd5b4d8903fb43351682b2fe

SHA512
66e64c301922099051fad58a992f6129c2dde6129e44ea7124142dd595ed4fdba341c47883fab567a90ca54cf2a6d9a7015d54f3dab92e8ab8f81c51cce5da83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
53d3ed56fc9e5966f27810e43885e510

SHA1
7f47b0a6fa1232be93c74bd1d2697568a76e95c0

SHA256
42b1c740f6d6aede24ee1fd1f5938e857ddd7418d5c7e7f708e3793a0732d32b

SHA512
8679d525d4d0143ad550db445530495ace46aab1dd5110093bc0e8a03cf713dac74de0a88aec4fceb413493d72ce0bf9cc8178de60e36a58e3f4d43c95c43b06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
d5f7af4dd38328ad82e35d626631feef

SHA1
f805d4c8074fe3fecef3156e2c436f376150742c

SHA256
03dc0e6469d15a16d5c6d89ac3321df327a7c1b04196b7c77ca6b958bf7076a2

SHA512
56584cf9dbeea16d54ba82c8717d1c2ebd295de70a8f74ba8b36b9bdec6ddb9c68a5a07d927c5dd1b9d7aacf97a163e66a9445b54fef43c04efff05cc4fd25fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
2b6d41a8faadb5ec79b269e6460f8572

SHA1
2751fbca1056616fbb3c1aefd687b3a6e58a465d

SHA256
251e94db08861df361cdfbb778c6c67f31bdc9cdaf7be2954a6c8c709d0d8fe8

SHA512
d1e47169de120dc3e7d57e82ec9ace0be31a56f215ec46140c98ddb54d8f49137a4c684bb86aea32071c695ff68506881b59e44180cdcc1fe6113d1638ce7e83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
89KB

MD5
22ebc31643c6023c0c37f3e04214b6fc

SHA1
d87ead021434035b9b48fac7dfc6fe1ed35d0fed

SHA256
3417ae70cae8321083b6319ad0daf532744c7cf21ee272215dff03e7ab98e9f6

SHA512
77d0891803fb7b2376082a34c32d81f598494364d04521632d7baeb32e9a2ef3b543d70f20c6a2c52dc07d84ee59e98cc29dc911d1f3f5276ee0dfa2fec769c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57a23b.TMP
Filesize
88KB

MD5
52526160f1833b76fc6368aad3a36d66

SHA1
00ca2ac0fd60e1a423ce05a4196d430e1d1044c6

SHA256
0394eb5797500a2e1894e87c6b5c6845837ce08f66d5c8dffbac25d7e5aa2edf

SHA512
11dba01e1c024a14261e360bc8095b30148463f2b4007ceda8879dc92ccef66ef3142fb61f3abc57db4ae994381b0aa451129fcdaaf5a0ae52cb4148a37cd4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
182c3bcf6e7fb7e171c239c6f20f989d

SHA1
b3048a741e57cceb276e63d5c5f50f18eb6bb7c5

SHA256
6daae5134285513fda4c8f2de519a0943ec24db20b81d67f24a8dd69f5e9bf61

SHA512
635400d60b77ebe6d98b1cae532a1161821dd876c979a7830202e46533c1eed12387e731cbe99a10072a7f49a13fa1f07d6e5b2ae334bd7afbe68e1d39d3fc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
570d623ee73ee0f93a1913b64b54e908

SHA1
22b049879f54d33e14d13dde37eea090197381c5

SHA256
62f7e292490ada69550f738da68741210bd5c9a904988adc2918786e56a718e4

SHA512
7998d4f32aa084b83e54b92f0539d71959d6803ed07905b35e7b9f758350a58ef70542a9918fd3ea46cf333cf99118c8d0ec00603cb7a718ff866097040f7f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2f04244fc1b38eb86d359a2ce9d26fe3

SHA1
dd5b717b32260f5bb2ce45a4b11b13c840b29a01

SHA256
dfdd63642fe1ccea356b614eb5ab7511854629d92ff6fe1a2d55bf0883e5e97b

SHA512
c561cc7e6fbc215f604d00a8de5b26f3dc951ace85701ee73f9254fcf7ad0bf0b27d3d94730a74ee70b370fe04bba2001d0159c10f05c04abfc96180c702d996

Download Submit
\??\pipe\crashpad_628_JWDJCDJXMCJMNIKR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

pid	process
628	chrome.exe
628	chrome.exe
5484	msedge.exe
5484	msedge.exe
5964	msedge.exe
5964	msedge.exe
5816	chrome.exe
5816	chrome.exe