hxxps://intimaciones[.]afip[.]gob[.]ar[.]kdental[.]cl/Documentos_Intimacion/?id=22564&code=pZZWDwmEwpXAZfyvZMTsEiuyCasUCnPYIlfOlLLxplWBnkwPAXvFibwjXFG

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://intimaciones.afip.gob.ar.kdental.cl/Documentos_Intimacion/?id=22564&code=pZZWDwmEwpXAZfyvZMTsEiuyCasUCnPYIlfOlLLxplWBnkwPAXvFibwjXFG

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643172623004046"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{714FBE1B-753F-4597-BCBC-258B869146EA}	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
536	chrome.exe
536	chrome.exe
2392	msedge.exe
2392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
536	chrome.exe
536	chrome.exe
536	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1888	2392	msedge.exe	121
PID 2392 wrote to memory of 1888	2392	msedge.exe	121
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 216	2392	msedge.exe	122
PID 2392 wrote to memory of 2852	2392	msedge.exe	123
PID 2392 wrote to memory of 2852	2392	msedge.exe	123
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124
PID 2392 wrote to memory of 1236	2392	msedge.exe	124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://intimaciones.afip.gob.ar.kdental.cl/Documentos_Intimacion/?id=22564&code=pZZWDwmEwpXAZfyvZMTsEiuyCasUCnPYIlfOlLLxplWBnkwPAXvFibwjXFG
1⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3732,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=3112 /prefetch:1
1⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4720,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:1
1⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4872,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:1
1⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5468,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
1⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5504,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
1⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5240,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:1
1⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6276,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8
1⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6420,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:8
1⤵
PID:540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420 0x338
1⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4364,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=6660 /prefetch:1
1⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6816,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=6892 /prefetch:1
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7120,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=7136 /prefetch:8
1⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffcefca4ef8,0x7ffcefca4f04,0x7ffcefca4f10
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2264,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1984,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=3352 /prefetch:3
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2292,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4396,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4396,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=3336,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=4468,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4716,i,2173001445665733224,12370665683175315447,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd089bab58,0x7ffd089bab68,0x7ffd089bab78
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1928 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:1
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:8
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=2028,i,3525046038641629574,15911550479094826588,131072 /prefetch:8
  2⤵
  PID:5168

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
cd1a29c245edca1fc07c973a6efec4c2

SHA1
f9331bee9deda52967b42dac2607819135a23222

SHA256
4bfe7703d5537f8e7b7116d5450faabd78420563e9bab58de4551fd197b63fed

SHA512
fcabc5b99dfd40f24ae8489c42baa3257477e25b9ce6f91fc37ba9c5bf58f4c150e40227f4889da9205e3f7219531935385f0ebae4dfe4848ba78d01a919fa4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5ae966d0925080f37f58119f416826b2

SHA1
7d375f7f6f279ff0780a5435bead731bcbab4ea8

SHA256
53bdbce31fd2abe8b59ebe950abe681e2cc3c366e98955226bcfd4f44935116a

SHA512
2cfa41cc7addf8435533daf9cc8790ff2595109c567ee122daa86eba236f25b5d1010f8300e254d93c524513c714f562ef0f4f1c2c3de0e444b64d308d8a427c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0f8956ffb503f3f52905551f6e1b3b6d

SHA1
7cd4866c107d07e27dc39b83d9c7ebf76bebba83

SHA256
db5727b2cb1b7020ba24b56d6bfcebb6f141ec4d0449f48cd8022e0fa752268a

SHA512
4fc13ec96d88b5d8a5ce232e20f9352c4255db638e97dad8858a7f6ed65c692ed808b44b3c7ef124967c583bc3576e36f5d67b60fbf805e733a6d4561f27e633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d4775907-3812-4b3e-8f28-982cf2ad11cc.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
d2faf2471d6726cb7f9278ac9f432bd5

SHA1
bb7a75e947a7bb3b49fb61f9b66b434b485d6ade

SHA256
502008bf60094e26c242ef3e452c12e1ba3885bea06d682f5e6a9414bb5bf5f8

SHA512
c3b31500bac5826e48b29be3dbc93b3d7cbfa1000aa7b7b9d53ed8f106e2c3a752e9ae63efb42898bd73f9960f3935b932b867338d3165b3ebd7b816e886633c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a1b0c5ee2115dda7732a9420f8eb9575

SHA1
25a9e50dafd2302af46da816e5f420b0d51b401b

SHA256
f6d55a759d9cf32522383f0e571559d368a03de2da1d57772969bd66d251899a

SHA512
f41f7f3fc5d1d52a6648c3bbb771eda7575bbf4fbc7f1512dcee6d0804bf3f65bde65b446e62bd502ebe06c192f08d4275a1d3d940ec8d011208c03762096960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ec513644-3b75-40df-b461-f28d3486dfcf.tmp

Filesize
21KB

MD5
912e6224a94bee8b1d86e989443b4d00

SHA1
42502cae3c5affc011a400bc669d61c1b5a0db1b

SHA256
63dc59e8e6f285ff71c2cfbd17999bd3ea716fd552dec1f96456daaefa95f08a

SHA512
42cf699e7d5b40e3db4e670a5c1a2bf6b1b55eca3332d6b3aea5897869b10fc5932eb5756313b70e75067e418e477ec2b5df9a7b8f8e82449ebb9e126ef994f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
76KB

MD5
01fb48329cc87aee988621c9639e9afc

SHA1
6a4a60ecbd8352b25fbe2bb6323c3c9c25c0a484

SHA256
344c5175f9f93234caf338d8be74946f7f4b6821cb37374d217d33669b20319a

SHA512
7c42f2a4c735306ab32b006833f7a376a8fa0abb64214e4a39313138fa8dedaf5ec7c1235f99bc9f02e3090f3ad64bd38df724401f0ab653206c7d84619cdeb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
76KB

MD5
28b5f93b4295311a031834d1253cd884

SHA1
22fed57594d4062d8f4a4b63b19676e7368a7aed

SHA256
7f446193e9b7fc101fe9722aa691293c7793ca72bf145911479798a9eac747e7

SHA512
8210ba07570f45a04ee78f4c62d0b05dbd9d7b1d6ec32d38760515ccdf40a5c47d4836b330e74e269b4be3b4d836b7fc800b2ab456db31f7c2f748616453714a

Download Submit