hxxps://pixeldrain[.]com/u/JsxBPN1B

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
20-06-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/JsxBPN1B

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633574497621061"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
3876	msedge.exe
3876	msedge.exe
1860	msedge.exe
1860	msedge.exe
2304	identity_helper.exe
2304	identity_helper.exe
4648	chrome.exe
4648	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 3840	3876	msedge.exe	78
PID 3876 wrote to memory of 3840	3876	msedge.exe	78
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 2824	3876	msedge.exe	79
PID 3876 wrote to memory of 1560	3876	msedge.exe	80
PID 3876 wrote to memory of 1560	3876	msedge.exe	80
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81
PID 3876 wrote to memory of 3200	3876	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pixeldrain.com/u/JsxBPN1B
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc63383cb8,0x7ffc63383cc8,0x7ffc63383cd8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,14580751002886772612,11079701362030603867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2192

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1472

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xec,0x10c,0x7ffc62cdab58,0x7ffc62cdab68,0x7ffc62cdab78
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:2
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3496 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1836,i,12964042552033577564,14033095173442320369,131072 /prefetch:8
  2⤵
  PID:2388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2a63cf189809ddcfb973dabb94c612f0

SHA1
54827cee8e8b14a255e51ed587601c5074cf3b44

SHA256
c000bb5691ededa05f6802927370f38877b600219c69ca7bc94a1f471f8de5f5

SHA512
5ecaa80ef70744dfb315c8d8ee594e7237092c883ede3524ae283d6e7a82c06841ff02fdedc7ff540dbaf624d0f70ec9c6a89b24017ccdfdb9ae53f07ea9bcb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
3ed7e76c7b59a5cfea5f9a4e717f9c70

SHA1
da50d78a73e48a059223af33e66463306f85e622

SHA256
4b9c36e4d8ed8e4fe9ca5778807727d00abf95386db3533ef5f94f9119c3510a

SHA512
48a96be13b98d869eece704b17f06770fc434068a3e17fe8deba108dd3961ad13a44c6a464d13f23237126c66698bf4686c1b63d2a7d979fd5af8430eb8c72ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc51d011cdef95dd022115c30e894941

SHA1
996ceb0feb73cec943ca83e43043312ffb513f40

SHA256
e366a6f65a2cc0e0a46cdcb72d96d77502fa9367025c611c199659a3ef432b35

SHA512
0852c715c6e2c9872381e2a5d7b2b1825a8090ac64dfef583f4dd56682eeb7e9568bf5a4c9a7c69befb87944348fb0503670f98a01510c1e4b57a8ef3f07a897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75129d1b1c2645f05d9f513887a32601

SHA1
9d3290698fa954657591f720b58b7d9eac2dcd1e

SHA256
8bcddd0ee7402613e062afac1022450559b994d27548ea8e67dfb735d5c36349

SHA512
2b5656b54f744e3610b90c9776b31975e9037b97ddc89b234eb3af1dbb65b50155214807488cf85a732abef5f65351e7b74283fb4ea742d2538d78c305d321d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
486ae5442f80cd8f614bf1e5f63079d6

SHA1
f2aa4743bc0a56e00f1e660c108285ba90ecefbb

SHA256
9b96c043ec0c3601f2f946518b27fc9bbc30b63a029d1933bfd1aff521f6d182

SHA512
4535a1dc311d4e088e1a59bf3c242b4c99a1ee27a2ef087e02d88c647fa096c851dd4657f020aff8af6deb6440ca18507736cd3a41ff4f85fe8491e574e0eecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e1d8412b100f8bd948bfeffed6010534

SHA1
4271bf5bf9705ee79e1bedd1500ae5ba0de89de6

SHA256
ec6ef3a983b1851931ee25bef995fa47bf76a3b3aa3a6447280d9334b4bb369f

SHA512
7c0f3a1b3d23183d5df8a9894688580fc110a37732a5ba4c7c6000223ed559e851e2e845b9d1bb25f9abee921a6cb31261a344d333c1d4cf4fb41813a41c5aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
773697d9c8b0475ee72f46a4911a9c21

SHA1
cf16e7cc5c03f103f8dfe3861041e777b6219611

SHA256
cdf6900599c936263382560efb1988b2e0823ac6aa5ee3ec65f8198e19a3975c

SHA512
148d2b15e481c34569bc8b94033e6bf9c231cfb450e72c6904552bc95063164ed70302cc69d60a1d0f5cb475e3434dc70220fd097ec023e11c410eaaa910c9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c462e1fbcf0516df6dad138dfaa6b1ca

SHA1
5ab783b807cc7a3230362518c9a462cd27bdd5f4

SHA256
4373978f262f013855cdaaca07c6a924a791ca61c0c60e56aa3a7b14af81971d

SHA512
6610e71b357bb90049a117d047a483a06545a8a18509bb81d70dc64dce2e62632a5b5b1d2c34371a396269d713da4b50ddb466dd7c5da06fb08cba03b4202081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
52125a8eee8637b056aafee9a8764953

SHA1
7841528ac60513edc1674f799b7ba43352ccc9a4

SHA256
e7da43c5e9c69e73fbc86ff6063259cbbbfba992382c0abbdfc1abe7340897b6

SHA512
ffc26a3889cc68d71697ec216746044360a026a1ff1bb9e11cb2c6390fb309c9b94be2c8f317de7a6cbe5a6f15a32485b34c84d37cd541117e68ecc1ac96d406

Download Submit