hxxps://cdn[.]discordapp[.]com/attachments/1261172266050519051/1270624928424792165/KrnlRemake[.]rar?ex=66b5b2ae&is=66b4612e&hm=f78487e2c854f74bb3bb0e8be5894d348601b726f963c627e2d2119c541500a2&

Analysis

max time kernel
74s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 12:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1261172266050519051/1270624928424792165/KrnlRemake.rar?ex=66b5b2ae&is=66b4612e&hm=f78487e2c854f74bb3bb0e8be5894d348601b726f963c627e2d2119c541500a2&

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675943457352184"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2508	msedge.exe
2508	msedge.exe
3464	msedge.exe
3464	msedge.exe
4972	identity_helper.exe
4972	identity_helper.exe
2828	msedge.exe
2828	msedge.exe
2304	chrome.exe
2304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 2748	3464	msedge.exe	83
PID 3464 wrote to memory of 2748	3464	msedge.exe	83
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 1812	3464	msedge.exe	84
PID 3464 wrote to memory of 2508	3464	msedge.exe	85
PID 3464 wrote to memory of 2508	3464	msedge.exe	85
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86
PID 3464 wrote to memory of 3388	3464	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1261172266050519051/1270624928424792165/KrnlRemake.rar?ex=66b5b2ae&is=66b4612e&hm=f78487e2c854f74bb3bb0e8be5894d348601b726f963c627e2d2119c541500a2&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0f1246f8,0x7ffd0f124708,0x7ffd0f124718
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7816060029024357706,15758167727275694180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcfef9cc40,0x7ffcfef9cc4c,0x7ffcfef9cc58
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5228,i,11523921768613943152,1617613214655568001,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
f0964f2e18b459d1e5d9d9ac630f3d96

SHA1
26b5b65572aba98a361d14e9c904bcaf98175c6e

SHA256
97c5715d09c5b3fb5e1248b0dc1783b100ec9970aa2c1b675f033b6a8f45c44a

SHA512
99b0a2f8c3fa9745da865703a3f795146898614af5e3f578f7fb7e6b34ca8b47c524e1e7fc2852644b81b27a722400be412d634064947424f07df3c3ce6353da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b5ce67920513c47226d38f009d1ddc48

SHA1
714fc5a6e82f958479d6890fc3f3f6ff41d92d0b

SHA256
0c0e250a342fea7f3f6b348b5207335e03b5ddf8c68e7bfe7e6226be7f230288

SHA512
08f152b233191dce89fc07ded2b1023fe2fb6ddbb605a665426506b8fd4b47de4698ae92c1b1647ce8d6736a41bcc253c393b2d09c4c6744db8fe60e10697b2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1278124e18908a1e590ba87a6d08ccbf

SHA1
d97b97e9bce3173725d957e384bdc51218fb0b17

SHA256
fe329dcd481ad333df26952244225bfa44b5264b485ccad586a9dc5be438d089

SHA512
6485190777f31789163b4bc35c84378158272a7f63d8333cc63f6494cfe5fa9ab4d444014f40868ecc64faf55405c71521b9659dde32cc3f265731fd159e9b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f4be22ed-019c-4511-a1a5-4defeaa15ac5.tmp

Filesize
356B

MD5
d527c983c32a0b770d59db0ab1575a56

SHA1
1c0554f35c02f2a9d7d9a9894ebdec4ddde40b76

SHA256
64b619cfb1646b526a5893b7f4f1185488e7755c5659ddc3dff7c1c1033ba1a7

SHA512
ebd79ddebd96985cc5ed5aade88c47e097c837fd7d192133ce905dab56d3a131195a7486b97ef8f53b2d28e0e7b7098ed4c859a70f079e91029526b3e22f23c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9e34ae3686efd7a3a08d105d0376e746

SHA1
5f63d0b20c8f0817519f1c1165f7d41742a3eb8c

SHA256
a5a8f9fafbe8a66d3a0ad1359b05b71fdbb737e9fc7b617c089a18aa9a8f2e3e

SHA512
ea68aade5c74c41d6ef86a5bf68b604d9de78ab8b7b0d58b00190c59eaa66c00ce0ffe802f1a43edbb0708214c1ee7adfb7444bd54c33a1bc7534c7547072207

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db5e7c154dc76fc13d051586232d7fa4

SHA1
52bafbc6f2669fc3fbbedc946952ab67fb192d8d

SHA256
5830007170d137b01f9aa1b633f7d3799f200867e371960c3aad7c2f2cff8b03

SHA512
94339ac0cc95b2807ca6ba148113b2600c9322ff92cfcc78501350a71fc0da0497f030f139e471c06f46b01723c501b53370fc6ae3746477cdea88bbe9d6da48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
7ba2e056384171358545741d695eb183

SHA1
76d064ddb985c5b5d6c842f08496a76d02c4ffb0

SHA256
6d50022fef1e6c9c1a4053c1d25f1f1379ba5a7e444d457f3b23f9a35da904f8

SHA512
a34da573da12dfd1e6e89adad732c9c33d35b30903079ef3881c559eb1fa261373cba89e044fb96cd0f50a982a832f0a02c866c75c9610e37219f4db4ee7b242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
eaa7e7d3ec691212e152abf20e1db149

SHA1
7b7e3f0f590b9a5c43c32c6cecb5a96e86cefbe4

SHA256
3f8aabfcf214b522b031e99fdb1522799af9a9cebea0c6e07f214330730ae752

SHA512
a769bef65567976419abdfd80ef5506bf34a7719f215e52b25e0b320a48c65fac292653a5b882173dba65673199f04cf5c58402be36db745a9a00811869e0020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a80a4b23-ecd9-41ca-acc9-c977feb8e847.tmp

Filesize
193KB

MD5
6f8e5e61aa45fbadc82f5dff9a18e100

SHA1
ea01f722ca0f6887f922c729e34a893b5eae1a25

SHA256
ed3945a6cf67f51d95ac04f301644526c936025fa983994826f1b98c4e57c95e

SHA512
ec7e0965cfb318affd89f35e0777ad3927e00acbed9366cd09d278802f597518ef0f759ced3ef59b4b87d3c8db848049b81d5e394d31aab2ffb68097d1f5c8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
363306d72afbbf2956a8b601a33e7f87

SHA1
1b50ddc7bd0455417b237bee34846826b014a7c0

SHA256
53c7f67826a9cf1937550bdd4cc30f1cab45852dad169191076e42b0621138ae

SHA512
cf36c53c6bdfc108566f211d69acd2adb800d960eed419f6a765564063756ca2587d8b1592454e110325aa54e21a47b1d568e8be3476943e0c554e7271a0576a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7bc60036e104afcd59186a233717c831

SHA1
bad6f5e21078431544193a97f490e7e3eee3b27a

SHA256
e603f356fd905285ea9ea1095876a030dec9bbcd15fba4defac56cad1249b638

SHA512
4d0fefda15d3ccc4778b3b9bf35ea00886c84aa2e44e165c0ec2a278004ba4d50fdd39d6f2ac02e31f727544179238d52bbf271866ee8786dc1957549bd27849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b62c854cb203b7f7e4ef6d6af76c8ea

SHA1
4311ba7edcece057712a6a1a6f0c3173e697b4b7

SHA256
a982c4e5e83c6b5e97ba2b8f2304faa05d2ba0244784534b7e46fe1df3a01588

SHA512
4117b6eda153f1117c008d11657442d2784d4dd9a196e2edf21a28ea4051f3c7ecf1e7cc8cd3def3c478d98ba042297d7a2c1d6e4d42f8cf751a9835022d4043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0094e1f87d33a06d973ead68232f4136

SHA1
ca13c1ea8516a0693a54219026b53f649cbfaf40

SHA256
c260a9010588e693cdb50b5b0f01ee29302f4ca803b47a0b01f69526ae3320ba

SHA512
7341d99ae3aeba8dcea52c18233ab997da1400e1557dbda7902b64ff113b9c28216dd44fb13100bc40b58a5f5002d8171d0b819150304d3a096a1c0ebbcd15a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e312536aca4168188282767c7489dc4

SHA1
bcbc830c7d7f0febe1db24bd4cd6d13ec44031a6

SHA256
1f18b6a13070500013445ebd13effbce482512affee8142febfbf6bf772aa788

SHA512
7474d7ad3d0a7e8ea6c27efe78a025fccb8638f3f385db6ad0111f72f40f0278ccfef570f4815f3c24bb7009d31e7250833ed6d4f18d294e462d6d15ae6dcbef

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 656893.crdownload

Filesize
21.4MB

MD5
2f5d2cf969c7b9edbbf069a81ba67ca7

SHA1
652c7aa1d940310e21f6f968cb301b6922e3a54a

SHA256
b3c1de1e8fe8d1c0af5c0fcf121c5c4e5e49d71d3d915a746cabda9108d326c8

SHA512
505adb47b2a8c4c41e9409989bd2a7c5cc00c1df629223df050b31665c3afb0b09e8a74afaefd142c162517811f35e44040a38cadb6d90d5a83d26c73353f7ca

Download Submit