0c32cccdf19ee3c079237590b21e9560276024ae58a849cc7cbfdd7e4f1abdff

Analysis

max time kernel
58s
max time network
57s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/08/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

httpssc.linkPs7Hx.txt
Size

21B
MD5

34b6d72efcaeb2547a648cc15d2d250e
SHA1

d9591892ff40888aa65ee86daf34800912abaa77
SHA256

0c32cccdf19ee3c079237590b21e9560276024ae58a849cc7cbfdd7e4f1abdff
SHA512

033b35b1f9a2231f432e37ecf48c110a709b92dd0a9116a9e3f565060950644edae85aa3fbfd8822cefa227868c32346f0038eab8dd6764a2301cf689d677b35

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133687454874103581"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2512	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1104	msedge.exe
1104	msedge.exe
3140	msedge.exe
3140	msedge.exe
2328	msedge.exe
2328	msedge.exe
1396	identity_helper.exe
1396	identity_helper.exe
2068	chrome.exe
2068	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
1104	msedge.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 2512	4092	cmd.exe	83
PID 4092 wrote to memory of 2512	4092	cmd.exe	83
PID 1104 wrote to memory of 2064	1104	msedge.exe	87
PID 1104 wrote to memory of 2064	1104	msedge.exe	87
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3864	1104	msedge.exe	88
PID 1104 wrote to memory of 3140	1104	msedge.exe	89
PID 1104 wrote to memory of 3140	1104	msedge.exe	89
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90
PID 1104 wrote to memory of 788	1104	msedge.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\httpssc.linkPs7Hx.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\httpssc.linkPs7Hx.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\WatchResize.svg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80b583cb8,0x7ff80b583cc8,0x7ff80b583cd8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12748637953781849065,10793087667732620822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:5076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x88,0x108,0x7ff81cbecc40,0x7ff81cbecc4c,0x7ff81cbecc58
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1756,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2020 /prefetch:3
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3516,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4272,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5188,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4600,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3404,i,16936859163021860211,6083375719251621003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:2320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e9b2a13d93a96a499f4fe2103d73b49f

SHA1
9f815019a67437480b0498f1371c0c51ff655e9a

SHA256
c3c05c96a054cca8a782b9a06acf7c9898d333e82c2a3b2c55737afe55483238

SHA512
f6fa13f5d2d2593eb184ca4c9d206f0d2b0e14184eaed43f4a7b0b694067812a497c46638596745208aa145704a8a07c2b0caa8fc6b1bfd5564028cd5062ba64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94e127773577849ee41874288cd630fa

SHA1
35a59fc47b2598da401fd8ebda6cf9823af85a4a

SHA256
27ad40802c88ba6f44377207ef070480a41deb4e30d0d5415d3b297dcb2d7158

SHA512
f22dc4d8f339f3e8c69490967a60289a9cde5864c77730555671e05dded9458fe81ca93316b639f823a1bfb7ad7bd681b393c19f888c6666bf20630aa7b9bccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
faade018466c291de0dc873aca424475

SHA1
38308f9714dc0975ea6a316bddcaae5e7302531a

SHA256
9a93d8d5a455377d46279a7ee7083a38666d3d0536efd6ad6b364a41bb0d95b1

SHA512
b86e2f8c8551ee4678e28de5e3ab8ca8141f250fa7249742198673efb83cbfc3caba50b9bd181ad68cd1b8735d3239a85c136666eab9f49bceffc738b2d4dab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38b808122d9e304b14847f98b49a0031

SHA1
c5d8ca91ca2f2bd79f1398c6542f9c34227bd415

SHA256
42e04840a22ac6562e9a883fa4eec1d7fce5715486f401c3271b8d1da60dd792

SHA512
dc0d7af2942c8ca0c5ffeb2d8b861a7d24308b292407de47454717adcb0279abde467c227ea70158b9c0f52b20f04b17a312a9dc49d0bbc0d122a682743943c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1c408ef716318996a7b3dc39be36acc4

SHA1
8ec50b7d238faff5804a5942695d6271ada20aae

SHA256
aaa6cd50d2406cba8dbe186842c7a3c297b48a313a5b04292307c8a24d0d7dfc

SHA512
6d798cde3d42185946f3c4eaa5d9369237dfc41c92b0ea8c759f07d006bd4dc0c17e2c69fe7374b5b44970839f50071a3556a631cbd97f13bac270b81c2119b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b9ba3733f106e554b10547cd0d1fff15

SHA1
5902427f84f2c205f354a6e832c8b38d032557ec

SHA256
573987f5902b4bde14fb037a47c1dca364d5a941c7ade5260f37c55ab5fbe83f

SHA512
6dad2e41b640c8ea844ac9ff880dcfc82b076fab1dfc7bc18cf07da77e41c9d9ab77b5cd2f5b0701a05b64f1d51ea31ca9492f67c188fe1be12c8b662caae93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
583beaa3136e4ac63fd14a75a861d5f4

SHA1
3c333d58edf41a022eb95a93e367045a468425f8

SHA256
3309966be4c69b63ee91e0cfa9596f95a25f03cd1cd4e1c61579fff9a808a6ed

SHA512
98b10af7da44ed4ab9b7b830ccd5681e9c0e1d64c58e85ebd654dd5f1728574896a6d4e0435c759e5e499f20db13958f31109c9aeed9ef4513a5791c42364f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit