hxxps://gracekennedy[.]varonis[.]io/analytics/entity/Alert/78845155-6217-457f-b01e-9902541b485a

Analysis

max time kernel
70s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gracekennedy.varonis.io/analytics/entity/Alert/78845155-6217-457f-b01e-9902541b485a

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685559103962811"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1292	msedge.exe
1292	msedge.exe
3028	msedge.exe
3028	msedge.exe
512	identity_helper.exe
512	identity_helper.exe
4368	chrome.exe
4368	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2604	3028	msedge.exe	84
PID 3028 wrote to memory of 2604	3028	msedge.exe	84
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 2292	3028	msedge.exe	85
PID 3028 wrote to memory of 1292	3028	msedge.exe	86
PID 3028 wrote to memory of 1292	3028	msedge.exe	86
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87
PID 3028 wrote to memory of 1200	3028	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gracekennedy.varonis.io/analytics/entity/Alert/78845155-6217-457f-b01e-9902541b485a
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa527746f8,0x7ffa52774708,0x7ffa52774718
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5447915697257971866,9090032601325499151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa3bc8cc40,0x7ffa3bc8cc4c,0x7ffa3bc8cc58
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,17276722993705141446,5828852439186932239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:5728
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff71fd14698,0x7ff71fd146a4,0x7ff71fd146b0
    3⤵
    - Drops file in Program Files directory
    PID:5764

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9f31ee9698d094a9440560b0fdd3b9b6

SHA1
c364f18e1e5236c0c5b671450d4fae6205e335df

SHA256
96d648ada982f30cc9e683f88d9844f65c69637aaf9c036345ae3a06b9f29ff7

SHA512
0483f391d790f36a42b40cbc200cf02edc01dcc0f443f16dfcb8e620344b549289ebcd5a46518a957369dfa09e6fa9ba66fde9c146111b1828fad8c055c8048a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1c13db19959e2a527353ab95e00a8d3d

SHA1
c92a4c6aa1c4c95bdf5d48db44f43cab52569f92

SHA256
2b62645ded473265987e753d3de4797e3d85e0e03d214231dab0a9cdf0f4125f

SHA512
9354aefbb031535f02f65d3f9ae94b64442e50c7d81b6fa5db8ef8980b1d531ff8485f1d3f0118ceb706036e4b1d8d497afbea656a2f5a66a417422787bc14f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c084985390f6275ab13ae7d568107b5f

SHA1
e54c83a8d91ef3053764f6556ad35e30765e87bc

SHA256
5994d1762d3d11ec06a6231f16d68831e255d737862d7060b8799d3cd4f8b874

SHA512
05221c424be8378f782afdb709026fdcc10bb787f3ed1d069f3a78a000bfdd6e2e761df693c94f6f57c4b50810221b6e5a9b414ecaae8dcda685066b90be97e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e833b5bee5876940af74d7de0a8717af

SHA1
f038063677e867f30a97ed686b1cb6a728536419

SHA256
f8f0b6f4eb9c6fa606d5f5379a4b1db921f1058e937128be58aeae8cf569e659

SHA512
9faeb4fbaf39d5b504b9a56136d3f2a74e58c024048fb2cf74578178ee0847083dc4319880cec28ac74022fe699f888bbfe960142d9daa3a7f3ef9c73b4f4cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
1ac8cadfc44ecf5af2f50f7768c4eae9

SHA1
6d7fc826f4192c832943b55fa3dc5f83312e5369

SHA256
f87c417ad62a48588a12542fddbec907560cceb5fbde02e05a60f740f90d055d

SHA512
ceac7e9b545fe5702120977a207564b282feccc790489f1dd4948bea8725fd92e1de0c0d22da36099e5570fef6bc6342d63b8c692b474000c794b0faba6a11b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
d009aecce89acd056ac445f263e1ce86

SHA1
c45134d9143d58f8c6155819e62285c3c6d4f777

SHA256
dcb217d5ae70bba6bfb1cf9eb2ca5251db635cab989992c41d4013de302e5b72

SHA512
fa713abe39f17f7e9e9fe8f9b13bd2d3d9eff4785e1e49c5c0b326ab9986eec47534fbce02e96a610d0bc35b53a00630f75c5699311a851903c99f5f1aece930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96142ba45f7203a8c4d877b2d70588b6

SHA1
e1d1ac761b3c41ba0a3409d7bec68ca22ae1fac7

SHA256
dac3fb834fb077720a5a79f49add75e37c15bd07ac063b5516061ffc611c334b

SHA512
fe09d408370c5ddfa3264f870118fd2edb2e4184871a8029bb62a438be6da78a8e1f72d176149ce6a4963e9981136dc878aedb1e0c660833482a9850680a4beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b367ffa3cd6896506992c5bb8b91addf

SHA1
93c9bded12fd3a814e4a87d1ab6b102818a9996e

SHA256
a2e0b202caf41d3a5fbde3824043e423cc9ce0ec9653a9d1a2d23b04c1467b96

SHA512
44e2745fad967ce9b7a2be00b75d6617d441ebe2763d81a8c038d57906b1c94d6d57c930141331c39e032a284b59014646dd9054be213fd973e75a2269466a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
dd1e4c9c0f8c8e79c4ac3b96868e427f

SHA1
9d284834b47d99c6895b359945a7ac5db60d08d1

SHA256
97e6d18bd80b5ec9e883c7d54331ed000bc8607e8d69277135b7b950089d0266

SHA512
c9189f531807315460d0360142f02a5d620e788119c5d07c97449a293d9d8e1b3f1d2def45f75784c498265f2a2b67082d120a16011b534bb0e2e83e59ee85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e4e36386a450f5721934c243577edc11

SHA1
a4496718eb4d4df739dd10d68882e347e5c87b60

SHA256
6b0fcd52787aae2b051b14bb11d07dec9c3e2007f05394d82273bc44b9042274

SHA512
894614add7390712c0fd24b3964ea1fc2af8bc66a581c3d5322f751553a129b9fd9a9f242014fb0f74a8edc20d803447e4928fd4cca8d1c3bab08fe211b36799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ebb7913459bda2f8dab5ccdd42aa79de

SHA1
958c3eeca70285bfd5cc1407e17f137d2dda8cc7

SHA256
348b8b9179e081ccb4541310c5f636c5139e4940edfbe19537045f136671b43c

SHA512
54cac5615754ec5fdb0c058672a5b2c97addf51f82c64ad9f91631536bab903089bb696ba2d58ec751c2b3709ead2ee62d71df83cef55786f32c5839e027beec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
588ae8305934f4b907d9f6b39bd8f684

SHA1
16ba8142a49b37962ff57f9f8f26aa1c10dab1a3

SHA256
8bcaf54593c61de27f85b51f57bf892bf52dbe2ecb7c54ac4faf8f9ed00af174

SHA512
99e7d7c102328d797d3ce264d94aad952387b44e11993a57fc724cfdd1699229ea2c32ae290c249f7d54d66cf6e8eb61d276a348e9d4e864287b3c9f35f56b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
852d886f30a60b001ee9e16d15da655c

SHA1
713ae02473e2af931fb4455db3be07a00c734e97

SHA256
0c05a4e24bafde15c1c9cfa778ac25eb5552c22b1a589b7b473eebc752a6ca68

SHA512
09625a70076a264b7138dc14f2fe81b0e8ad6cc0ecb3cc4f5d5bd73eb58fab1e2528c5e3a3a40837740895a5a694b94b2fa174a8595960ef122823a4132d4f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e4889337daf0c3193266bc768075e908

SHA1
d40db83bea01968c1d1bd263f24a2baa83a40bf0

SHA256
811ce3054c17211ad6119da877a0a02d461181b641ab7024fa0a7b0a2662cbec

SHA512
33709e9f925796dac905f973eabde6380c29c44d4428b0e789db451b117963a65a4b42f7f2c3c6df65fd4ce33dbda63fe521a946c729e8506417328d3c816485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fbd41789ac1800440aa1d1d376b637e4

SHA1
edc6a13aec82dc7456837ac253eb54c274a59df9

SHA256
c614e0f41525b2f47df70baed8b0303bf23cd0b2d709ff421e7b6b93cf0e8ae9

SHA512
c1203518d58e6cb02688c08f40fb5545968a433533afb9fc628042adb1d2d2070a9aa0b90f966989a2455825970cf8607c27ebe1148e5eaf56134fde8c8f08d3

Download Submit