hxxps://tw-py[.]top/

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tw-py.top/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674637632529384"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
2652	msedge.exe
2652	msedge.exe
2676	identity_helper.exe
2676	identity_helper.exe
2616	chrome.exe
2616	chrome.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3788	2652	msedge.exe	83
PID 2652 wrote to memory of 3788	2652	msedge.exe	83
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 2264	2652	msedge.exe	84
PID 2652 wrote to memory of 1612	2652	msedge.exe	85
PID 2652 wrote to memory of 1612	2652	msedge.exe	85
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86
PID 2652 wrote to memory of 60	2652	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tw-py.top/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf8be46f8,0x7ffdf8be4708,0x7ffdf8be4718
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,4072026547308662197,2724356476871724979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffde6f4cc40,0x7ffde6f4cc4c,0x7ffde6f4cc58
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3704,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4908,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4708,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3292,i,13746486349745028371,6884385145656024226,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3980

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7fbaac13-6afa-4022-ab4d-2aa771d55654.tmp

Filesize
194KB

MD5
db68ec16d173c43a9c9dd1e289d64827

SHA1
d8a23103f6b835ab3f5a860b8249789cd159ff04

SHA256
4721c7037e1b0d50fbe36f4c335d3536cf6c09f2c9d240f7f191b2ac24b7131a

SHA512
734c65b2a902dc70f444cab0c27d16fe3e2531c07f39e7f294fec0fc547b530e8d8f5891b9f24169fa2fa66cada57e82156481364998f6cd0fd9dc491da6f0b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
44b6db3952c21f4456c38dd345bbdd87

SHA1
eb3ada8e09fa711444c459564c02036c14be8586

SHA256
f70f1724c32886ca2197e8180ae39bf805b7bbbaf9f56277e777c4768bb2cb10

SHA512
11e15ee2854b1a51f341ce269de7492ec55688bfb221d543249a92ea103ff2976897b166987985d7b4b79b965a54717d42eaefd3869eef414944162ca4f1940f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
31adf7517af7fa84fdbc7319e11dc302

SHA1
72600db8e3f4648b8bda2a01a6d62d0f3cbe03b4

SHA256
b511aadd0b46dce76f9a4f2caf13c4e3077e9ff23e41943f6b533cc55187e4cf

SHA512
80fb3625bd4f8f43ce471577b474407e43ba421523f2f3f886c1d019fe702f86731cd2cf0a15c0bc0f7647456c8a16f5b77da4c720450e2125e6194206a33507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
08b81890c95e5371d71301211b9b736a

SHA1
89954b7d7fdf429535c2a41e37f75cba4b97d63b

SHA256
2a729f35215968dff2124bac17d952418ced995e1f27c0389a705d32d0d22177

SHA512
5d5594aa9e7dd70d69dd90caca62044bb426cb8e39bfb96851369b0cc7dd6f65ddecf59b649dacd28d2cfcb9d0693d20f9d041b288c6e50cd28625e78cb13f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
188fed99edce28577cf7a9e889d7f4c6

SHA1
6e0986cb855a43435d876314d75407dc9e61a735

SHA256
f88395ff32e7fa3166f8240111c054702bc4e94024a9d44ec453d740bb69c94d

SHA512
b7c513d779c85bc5021b073b7b4a2493e9108cf1c7a23e9743ef6468dfa8154c93cba885afd3ede245fdc5a925732d90563258b2121746e9cfa412d599b4a734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15a9de29f164d915900f714507b2bb0f

SHA1
a2f0a96a734a708b5b9fb1ef5dc90f7c475a91dc

SHA256
6f15c4bd4b5d103d252bb21567744cebe3129ad2d88b81be5f431f7346df9dbd

SHA512
bf8b4317e737106e878d377aa6ded02066664cc55ba11753dde45df0078d43810bfaba87879c44ae8dca61c332aa3ac45b0d25f5ffb117084566af6bd36660cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50467020e06e49042c236e687900c322

SHA1
46d099b5fac9ae94186866b174aaf8a63adc144c

SHA256
0d01889bfc4df0fcecd8af2f3fb740abee89dbe997c9f8fd952ffa9980b46953

SHA512
6e450ed661025f01a214f46322cfdd56725c1b4ead0e84c13329a745a87f61ae419619c587b7462ae01d1c1ae087ff3fc906ea2180c56ddcb7198957005c547a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c9691044b5f81ed6a845215fe8327392

SHA1
86282ecb298d71a24f1b297e7339425d13d2202d

SHA256
afb390464d6f68c03a5d4c66b448d64dbe9f3c199cf46e3adbef4f81c7d32623

SHA512
f42ffa03b190bd898056f0214ad643867e4c27eae3692469d890520d6e872a3b3718841185aa9799d174cc274697c082902ed0e62abffe777c25b26de1daffec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd3631d1b0f9d7c1dc01131ee47e6818

SHA1
036a62841471d6ae65845cf9c94bfc6d1c4d55a2

SHA256
afc5dd6a7f7d48796a8ae0f872350f11fcc91c3ac91c632725dfea412ffd9c93

SHA512
508d6a4cfd6bbb404824e1be2f24adfcd950861a972368aeaae6389501cb2ba2c094c99eb91c0b8a12d8c6e9941487cd13b648e0b8d69d3d0f5239d7ab5294bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e2ddd77d8a9378a1b8b25a0bc82fc803

SHA1
3fd5277d76471974d5cd8d7d9a25d3c9638fb589

SHA256
35a7cd4069609d9a9369cefd3f9bfdf4de6e13ac391683b703040b9e3d9d0db1

SHA512
a11d40a48a1c841fdbf16ff5b14be5bff44800dea31320b4c20c9f5cf13116f786082eef48bb96af7e91d3d8cf08adf1dde8933ce4aee574480fe6e72e09a358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
cf58dc00d1f3b8dbf656f2b6c82c4601

SHA1
c1ceb1b868ded426855e606bcb6d39674e4be7a0

SHA256
8648bd60fd0fc2f8dfd6442012d8a8ac4e7c6f9952cdfd44ee000f869595ccc4

SHA512
57173632029223e20a93a1596e09ea182fc9716e082867379afcc3c7819f78df9bb19c1403db83c265e974d392a2547a600b952331c3db99070c9b164e7d63d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
400B

MD5
57fd123d21f8bcd85695ae3ddb372c37

SHA1
006e7b4fb5c9d120890a35d3b153651921a61c0a

SHA256
3afb97997950fadd7ffb9b148ef1a143bf0ab070de4224de77d8af8d9efee99e

SHA512
39de751a922999229e9a64f89cc0326122b7bf6ab8dacf424e196b70b232cf5f02bbaf5eb6d40fe1babf09271eddf978f8dd57d25bbae17ed0eab8674ddc666c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d25e47a8fc880bb2d9aeca264f0e0c3

SHA1
4abe081bc4df614570a75ea66c39b505abe2d15d

SHA256
2674cb6153425b770235bbf09c44548bf728ac819134120893ab3121900e2e1c

SHA512
1487c4b6d4c0ac8877c2f94521230332d2bb594a65ccf9a5cfa20b49f2e340569e47c7ac8132521d62d20678fb8a0f45762d4ebb3d9739ea85052c899d3473cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73fdd1eb585a4c67d79301f4f4280474

SHA1
b5368f92a42dd5349efeeb1cf5c3acddf38b30fc

SHA256
b9de0cb97c5f13d279776e4a993652d6cc62b8e9452b973244a22f4156c7ef0b

SHA512
8b25dfe1834487063ad303f57d056990609ec87082856914cba165e9705c4a95f2178b57c260cdcb9d77d6910384aa89799301a904639d43b1623b5699b7e7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e464c49f758e0eaf98902fda6a96ec22

SHA1
deb17b373215353ee66df7ad091adb012b1d8627

SHA256
f4876938bc768e4f203cb677616c69b02a78ea8f7109a9e4817bd8d4588241f7

SHA512
0403e0cc1f4c45ca9283dc0f14e1e554e63a1870fdf9f2f7f81ba91c3b9fc60c9e066859b92341cd13ade09d5c2577d662d7739aa4c6e57138327606ed7ebcb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8821f3ab34c16bfe1f08d1b70837a16

SHA1
1f359c3b7e520bf5bd4dbc3bb998c12573f41649

SHA256
6c90af10892ad5b7c2bc78f94757ca56faa14f148529caab1a59d1c196f176a0

SHA512
49a63ce24b62eda135cf255b3cf432843c76845ac4c1a63175f20a5273c3479c0c7cc18bf13146ba10c93d4504e86b763eb09964fc52342a2cfa93a32da3668b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23ae91c534bc132eaa4d60e5b57a58f1

SHA1
85dcc3803e41b0fd689ecc768f28a2f0f0bc3153

SHA256
19c1a414869d9f3bd945cbbdfc6f93312f95f34b6b0123ce8949893f08a2b6c0

SHA512
c238873e54acd78bc8f0307e2d977f4c9c2b87d115d5c2f279dadb49540effc9e7d88efa7d4df8d48b9b87378e902011f4ed56e68f0d98f08a8ac9bda611c315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
83047baafe6ffa69b6c32eed42d5edc2

SHA1
35dcdced7b47c22170c763965b9a5dec307919c1

SHA256
564f3bba6a463d19de57ba0a8e54fc920ba69a8939ac90b0752b8635e1ee068f

SHA512
285af3ba815a4d03eb56622e33e1849d14d51a9e57ec3788faf284113b837275116b9530e3b9b294b4a9709a882bfe8d227850735ad08bb7dd2fc17f968d02aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d9e32b9dea9b0d26e4e855e0e6203b86

SHA1
3c2e4f9bac361f1630207cf37006252ee39e38d8

SHA256
cccbd002f2d358fb36d18100672112f60edd36c4a6a7de89e6c2bbae81178a02

SHA512
acb53da4226e5df20be8daa1ee6831a56a4dcb4ee4b7d8c7f848376018c70a18a736d717bef48d024c8fada778d5523d1a0a3a75bd58dd1ff5e2968706582f0d

Download Submit