hxxps://drive[.]google[.]com/file/d/1d53w4_YqtysZdoJNofzl325J9_j1mF3U/view?usp=sharing

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1d53w4_YqtysZdoJNofzl325J9_j1mF3U/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698564834199074"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1424	msedge.exe
1424	msedge.exe
2332	msedge.exe
2332	msedge.exe
4088	identity_helper.exe
4088	identity_helper.exe
712	chrome.exe
712	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe
Token: SeShutdownPrivilege	712	chrome.exe
Token: SeCreatePagefilePrivilege	712	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe
712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 696	2332	msedge.exe	83
PID 2332 wrote to memory of 696	2332	msedge.exe	83
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 2772	2332	msedge.exe	84
PID 2332 wrote to memory of 1424	2332	msedge.exe	85
PID 2332 wrote to memory of 1424	2332	msedge.exe	85
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86
PID 2332 wrote to memory of 1148	2332	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1d53w4_YqtysZdoJNofzl325J9_j1mF3U/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a19c46f8,0x7ff8a19c4708,0x7ff8a19c4718
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3979946831349001113,15000830861391891569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff892e2cc40,0x7ff892e2cc4c,0x7ff892e2cc58
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,4520268679501750653,7037029413312938330,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:532

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\273a527a-9b79-4fa8-a6cb-14e2a0076f06.tmp

Filesize
9KB

MD5
5f621bfc3f44bd5e9a2fdcb9528bc75e

SHA1
dbab6f15894272e0f82df131aac83b574ebcff9e

SHA256
69f4c380101a9c5341e67ccfc620511c4ffaea9694e5c69e8552c3f2475fe812

SHA512
c5fe2f277aff9c77b6e90046dbf6c38d3cb5c8c6ac157427dd7e1209a19d90277207ffb81bf72a12183c068caead242620e16c2f8481f2a729cc76c8c7ba15bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a4357cba2f7dfbb206293f37ae9e8679

SHA1
f210f1a5a60faf13dcb33f3623639932f687073f

SHA256
c7605ccad6036c0d98cee216d764f9eb1e3c3a57dc99ee53fbf6790a15a5c60d

SHA512
a47a500ac15e0c932421e370ba76f971e47edb770f56d9dbc12d46101ca10a5290302baeb49bb3ed8a84f3f95442adb074b36a06b23424e3a63d965141bd82af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ee1ac7e989615f4e67591bce9819eec5

SHA1
227a1481799ecf7a3015941de8616abb1c8bf6c7

SHA256
81b2487962f8607fbd6b7923205691513eb91c816c860658e1ffe3c8c7fe5bd0

SHA512
4aa212d663e05d6694fcb7090383b2b76ba625f04d292a216d064836ae4c5e8540a44d4790a9a4faa5058d094f5fe2f9a47d7c41d943624371797790a310c988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9f5c05a3c372e86eac485acf73df28f2

SHA1
c496af11eda95e455554a90be8bf8446172e4d93

SHA256
63c050d4eab3394d7f1b023c61bb26d8cf60b14b73fee17569bac2d9a1fa550f

SHA512
c6dab516162ad530c66ce838f98b8f2c044acb965edeaf65a5758601d192d88afbba23c64265abf402ee7f76dfde701d054e8d968e5ce4413b085f95caf63526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9e99e8df674b08b70c9b68b137896df1

SHA1
22ad8033f8887ab2229b740510db84ff9335f377

SHA256
9d50dcef3137bdffa2dcb0ef52fed871639a2d3467f7632286677028c0d87f9a

SHA512
826b5bf6cc08319b4debceb7c666930bc9134e52562ae01e1788a5b6dc99906e03dd6655af5bdc62226fc4ba63aa65e66edbb2b8e523de9c18e097d78c353bc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e86d270beb7055203144e2d933d2d36b

SHA1
1f28006d2d9ff88c5c6b8a00a106b2b1d192dab0

SHA256
72bc3a9ef69424e83b99bac92c6e95ae58114b11d48d89d253b36e59cf609697

SHA512
3337e0ea2940267316d68c60fbee726e2e8e1ee824d92ae3b2aa684aa8b7d5e956d6c5e18ce6220caa9fad00c3a1e181efc950c2748b1f7b0f4c893275fcf92b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b35c83726d88cb33425760c2a42498a6

SHA1
f220132d1d8420bda9b82f848c8a6546f5cacc83

SHA256
ac82771c59161c83b42b36fa4afa9b56c27ffcee9462a6563d33e6163e4a551b

SHA512
7519add080c41f95d1e31680ad862c3d9dd23ef95501c74a1933844f6ce65a6d9e0de1fd55ee87493188cfc656ac1520b414cb09ff3046c7996cddbbb9ffc3c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa571ccd9b9f69ab30dea29594886491

SHA1
ad6360f556ffcdbec76852209e210431f9a0d7ff

SHA256
c5da4018bd2eef399822f2ef737758fb0822f34c656aa70b3e1e2aa72b80518d

SHA512
39e992a06f510ee2d4ecda306c57f50d32f37abc07707a4d1b62b6237cf5f201bb28df5bd909bc6de377872db4d45eb08241151dd860563e0c1c52fb35adae8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98c915a1c749eefcc5e284380d4a507f

SHA1
c50bd650520dab4c2108d5592403affc8061cb6d

SHA256
c2ef172b0b5d70cf9eeb886e6f5e63edce0424ef8e7cc17cb19b849cbe894f15

SHA512
c0dfef65554e42c3ae804eba0b83e3e6f4b4fff7950a5ef0dcd6b04c8ac49c02faf63edb132b35480d0e26e0504777e4ade2ca14429bb56031ecd8b3410d9c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e582cde445fca75a1c42d57369d74973

SHA1
971ae2d612b50133991271f30267ffaf92b6733b

SHA256
072a7f3a3dff8ae329759bb68c42b58fd7e658654307bb0b4b24e2a05b22bc6b

SHA512
a555835c4389071521ef867da07e006697d189953d23047bac6b1582ee02a2560eacb7401b20973a6707fe27327662dd96c384e7286e94eda13425b55c004f5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
84db9e4cd1f6f6309f11490bd115cb01

SHA1
b4616980f99d65b5a98ac76119cf907c93de5a1f

SHA256
5cbc320ac3352004dad3e2a3b623335e6590a3a457da3d1f8fee54a5e3597ce1

SHA512
ddddebe0afc636bbc45e1d897cc0646618193863d7ffee8d21411c3cc42f645f43a0e664a03f1c8f5bc12f935a944363334a68a451bf8481bde0c484da234706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
0614be02f8c93c4ba988e207008af46b

SHA1
725b0e06b73656d5f459ee6b4f65d94c2abf97e9

SHA256
eedcc3c483f944b3181ce3def917560106312fae1e6b495561c560d7c5c6c4e6

SHA512
1a480201d90bc02575e5af204314049f09a8a931807cc594d3f4378e74e586b407ec1d23309d58ebc92cb697c87199095616e68a4db1e2cd2cb8191ecbfcb214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
b4f630993f7ea5c6bf652c8e7f90e840

SHA1
c8e5d1d080487aea7d34cbfad620cce914047312

SHA256
e83c43d803846628f1df8de5fe6eaa19ab406449692039390e0e6317e597c4d8

SHA512
7fd8ef74c060d77919669df576254fbb9c01a7f098cf4d895843acd63713a0a64d566297f32f023f7dba80e8c2c57c3c2a80a7e204a61375d919a06df9a3efc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
b9fa954aa551d56cd6d994066f2834e9

SHA1
b8ace013f28a0eacd0b3365437e112567aed5592

SHA256
21cd5a891771bc7bf820ac3657e2ebfbed288d3f57e1ec020a77ac08c4f409b2

SHA512
5f7d4aff4374b8ece90ebe0173af85a4a2cc879008a684637742ea6356ae607ae90bccb889bd9eec449a126522f12ec3364a8b65ee22bb49fdac41c78b4e8e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8147f268e3a207c426ea94717ae3e9cc

SHA1
a868f642c8c05024e650de2f2454090b30d461dd

SHA256
c4402e635010281212da6d7d3eae54247973cb18c313c04620da6423bdf92d51

SHA512
16b7094e2bbbe638e0425a709d737f9c158464352ae95e6061dc2bec0cfc61d78cfeacc774b558c324968235baa69e11e48f45bfea8756a7dde4635171a26bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43de6b8cce46a6004132f684c4685c09

SHA1
37575b537de6b98cc03788df0beb6bae356dfc6a

SHA256
dd19c4c4dc4b1eb0da140dc9095880f2756764b191ff4ccab48599c65b5b7906

SHA512
eb3e9a4a28e326ed0adf3c3e05f8d95dec25e9f7c808626ca94a4a30ae0717e6136f7cc4eaba8ac90501045dd8a57e90dd993f363e3bf99971aea3e10a83bdc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e855dde3405336b20bb656b253c5ac1d

SHA1
b866a4dbfae1f0ef941e79704b356f20f7c49883

SHA256
93d4f96ba6ea99838d844c500b841aa28970b1b2fc09b8ae1b63930b5bfe90d1

SHA512
2875f30711fd96dc88ac76bda64c96c07d36ef055afc50d2facb1575e310bab60e31158f86495399c6a556c544378ff375e9f98bd6e0007fee2d48c953063fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
62779e1e2d390920f8106806a62e3a6e

SHA1
233f1d691c652a1df9f2fbb78b75603a9377100c

SHA256
ab7f71943649f96da52280df2a9167e0abca95da2dbb08f2b73a343d2d2fa988

SHA512
0aedddfdbfac7ea1eee3859f2157edfbe8711b1c4d6fbd93e1d0f8997adbd7e4686d88806edca3374385621c8daebadaeaebb8f02ce8c09876a1cf9f3bdbbf52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a27e79b9fd91d95c6168f12419e5e8e6

SHA1
6a2228f5e734719d96925d8fab4e01967a4907ce

SHA256
9ced24b319c16439102f8d76e305e2ce8c6c866e6c855463be6d1dc6e8497e2f

SHA512
56b7e663dcd66eccb875866536ca0df7594e9a9e916b82d5b598644ba2fe423a408217e80944f03daf07488a0009b6ea32e2c3ff0f629006c6885c5d7456b876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c0f9736f4de2cf49ee40f63559cdb290

SHA1
cac131bc29c1579c63ea77d8689777072997dd8a

SHA256
5bdaf2f9cba84029dc3492a97d4356a49b69e16f9545d1ed4bee976c4ae0b4e2

SHA512
413c6664147db6ec426630d1ef878e2e888d45440f0ddf1bbaa8211c7013b530ac7e12c370040f6eac648fea143a4eb839c08c2a5cbf7f0ef708102777cc253e

Download Submit