f745c70c96b7dbc49831df540b4e836ba1242be84c63fb60ac6c9c0c7130a5c4

Analysis

max time kernel
971s
max time network
1161s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/09/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trial-redeemer-xag-support-main/redeemer-xag-support.py
Size

28KB
MD5

97fb584a82f0553a73216517dc99c06c
SHA1

b286406885054aaa87d786533a1d42382cacc911
SHA256

19dcbb167712027ba60a6e0a167694197525cdf37807488ab94a007d6b98bb0d
SHA512

f8705161208924801907c22744f0778030a46fd26a235e033f600d23b86054882f1be27b36182ff6a689334f9c4c7db20b278bd9c71da699e2ca3b1d7b705676
SSDEEP

768:ktcTVE+dvUdknoIVDRExfJ3nQ21oT8HzVxZ:vTVE+dvUdkpVDRExf1F8U5xZ

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133701190389343265"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
4684	msedge.exe
4684	msedge.exe
4744	msedge.exe
4744	msedge.exe
1352	msedge.exe
1352	msedge.exe
412	identity_helper.exe
412	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4328	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe
4328	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 3212	1872	chrome.exe	86
PID 1872 wrote to memory of 3212	1872	chrome.exe	86
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 3956	1872	chrome.exe	87
PID 1872 wrote to memory of 4868	1872	chrome.exe	88
PID 1872 wrote to memory of 4868	1872	chrome.exe	88
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89
PID 1872 wrote to memory of 428	1872	chrome.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\trial-redeemer-xag-support-main\redeemer-xag-support.py
1⤵
- Modifies registry class
PID:4916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb00c7cc40,0x7ffb00c7cc4c,0x7ffb00c7cc58
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4376,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4760,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4432,i,130917881630400870,13876353564582755014,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:3984

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb00b33cb8,0x7ffb00b33cc8,0x7ffb00b33cd8
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13722935186985187941,4826932613663675076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
  2⤵
  PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
740c2b95da493aacd36bbca0c8fe8824

SHA1
3e617494bd0c8d8848c418f8fedca03ba8103609

SHA256
1bee49c2e8684a8b3c5e4a4dd90ef96ec901c5d15c2dbc554df988ed17b56833

SHA512
4bb41fb6bccc7a9c37c38d466de94085a0ba7427270d6b0ab24a779cc2d55e5258db6d161af4f82d9fd2b4ff13800b5075f3df6726885c37e64df6ac52457bd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
d77a69449013a3b56fe0d22fe06a4ab5

SHA1
60d12a4dbcb99a1e38b71dbe0b258545ccaa4f68

SHA256
d55f6edc63421f7a212a1f922ea5cc1c196c30817cc32ad76894c1d48231bd87

SHA512
fedb18da1a78f53f67cd8f5926fa3699ed1e7f604993131944dfdbf384b8afb2ac60c3d2c3d5327788f1e33819f113e79fe199e40d3948bbc7ce96c8b32f199f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4858128d460814b37438697331826c34

SHA1
8a0270fad76896f27b5f97c1b9c678d9a227bd3d

SHA256
f2084deb8fb3f31ce7f1411210b6a7af1343e8933108d3420455df6bf753b61c

SHA512
26bced161b27faaff0a80fe59365b3c88fdd8905f94dc5f0d063d5cf0e23aedd13a5231140a05a900b48070ad6d383780d9e651fc552c4e174315f04fc50833c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
b0d4918e4f4789fbc59911645482be6f

SHA1
6e2f9e051ce81a04b61be66b67e2cdf6c6e345cd

SHA256
70c075246a854c67ec3c9311ab490e822fb83d197b6d08563d5520d95645aeaf

SHA512
2bb2e784649aa35023e3e40ded3acdc3b304564d26401f17d7f5296cd47de055bc44045adf42cfb8afb6e451e2c6a9ca010a0aef47eccf83c1a302bbe25cc091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f77e1282a6a9fad3e020e5262aa1c301

SHA1
a7fb79d7ee51fa0fc0937162c1ad39059fae8824

SHA256
60fcdfbad6b284f61459016389f5a1596a665074cf0d29ffa18d4097fce0c0c4

SHA512
ddeadee15b54d98a48877198b6cce5e6395df2a500bc0fde3388a094182b0ae5b041da1071f94c787cd8b254240d4917ff37bdabeb28c750141a7bb47bac3415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf9212e23acab7da694053bee1095056

SHA1
5794b4d2ae2d1c3d8dd70d0f46f1e169c4243b8b

SHA256
979ea31f99f1969b7d341b84950ee91d0faa8e25339b538330b4e8453cd5b039

SHA512
a89a803ee2bce5c5f028d9ba33b473ceeeefe98203a72b79febfb6ecbef9e72b667045a85ae5894a44a7292d6578bb07e32065e64a9990baa18c8102c7062de5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1a28ad3c1a6126fa259389920f305ee

SHA1
422a4f5f0a496039c2393f716b7e5e0394a73906

SHA256
e279dc60660cef402bc8d15e9207da3bb2effb4accffe10d32eb39cdc5d7c155

SHA512
3235952614fbab15fb8fffc67c642ca653f5551e3cd2db195f19982f771cd4c22fbd3019c3db4f24c3ffa06aaaa8448438f226912e42a3232fda82361b55d2e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
111529e1529e0a3c165b71281a0de399

SHA1
1eaa5d8a3b42a1fb3cbdd2e44fbdc550d20ba158

SHA256
b5926fe909f2781d4f1977398dfbb0f1d0fad123c36e3773b0351c7949b0d116

SHA512
a5a351f594c2e24a3bfc8082c1da2203757a96a6d088a21e4d3e713e544800cd011aecfdd31b3bed33831b484271b2c348e51f1b108683887d11b03d85097808

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
2d41d8788140ffedaee1467e2458d16f

SHA1
5be517fda6fbc600e0f9f7a493325c5feb3e7c37

SHA256
d78b70597733360f6969caf861bb7af2cba0e0926a920d0f9be70b13bf1692da

SHA512
e1bc2cb21b78f304dad1b82e3fea944807cb897f4f18778d2de4e394fa79b9b1f9f629b9bd0b8796454785892b990cd98d9203cdfa4b148a4719af3154408cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
66ec965ad20ae065129858130ef33e82

SHA1
a79ca5eced36e72ba90d0ec730ebd9f32410377e

SHA256
b0d21e45b83de55d977ec7dbf3e62b59508eb300ad106b09062b4b535f456a6d

SHA512
15e47eda1b76a72ad380e6ca5dbd59ada30726f7592c4d584fbf50ef0738c071d86c189e5cd0d15c75e498aaa2ca19e5c98af36f1d422e49291a37f9c91e7733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
1b46328d6509294eb4a5938d80401e2b

SHA1
5a38ecb10f665100f8452d9623ceafa1cabf78bd

SHA256
171e0b390cbfe3acff9bfeccb71f58cf6651fe1a8923b11e48341f6fa0232b0a

SHA512
a5b7cae0f00561e81f08c1506e05ce522888e0685328d70019f4bcd7a520c10b8e550df63ae66bc409659fb656eeef032eb91af1ad18eb9f0d75ad2d86b809b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0f18a4f7-c2d0-4095-b742-33129cd465c3.tmp

Filesize
8KB

MD5
72acfbee911671f85ad24e0fb029717b

SHA1
7e060598a99ec6e5d9b05d755886633315bd2a7b

SHA256
a02ff7231e98f729c66b41a03f46fb22894fa6cf8ed6f959284542635312f6ce

SHA512
bac00193ebb523e9139986b9255faeb94f28e5131a1e313cd8022b2f176867fa72384dec8761b9c90fd3af5da99e2861075c41ac9e79e8842f3bd506854d0dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f81a21213f9d0b3034e5d35eb9e374c2

SHA1
0f96cdf4e783ec6590b3e3d48f754a0243ad30e6

SHA256
cf3780a7c9f8f35a8982c5c910cc3994a72c721b645471bc9f4ac8d41f96ac19

SHA512
da9a7e32227321854af43577ac2501b47711a61fe1272754334754443be02d57ca32c653362dbd3ea00fa87a9e99a21aaa7c8fc28f0760d9bcb6c4f01b5f6b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c7278e063c542d46139428e74108f3a7

SHA1
de6966a4782244d7b3b44b0aa23ab4c45a97b675

SHA256
b67dd33f1a5e16368f017c2ac26d12ff693d667480407fe13cdbd2e8e5e21a71

SHA512
484dbe9486ba4332df4c2ed3a113f9b88b19462b9eeed169861c862f6f0323a9d65de4f8d72d4347809ccf63118386cf1bce263b0d325a876e502383d0836c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8fd063f886c57c1e9c216df4a3c79e84

SHA1
83edd1bda7481e455466dd5402ae4612a3960337

SHA256
7e7fbb2c0117a1315490b2e1ebd809176aa9cd603a960b7fcb3c58c3af7e4257

SHA512
ef01983c753eb6c9166cdb4c64d40fa77af80abfab15418ed3eace3951a3a5e157acde6ed54c2273fe789c50e133637998523e2bcfe7e139f54ae4287d66fdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c2385f1e502862be04461e28bb0cef7

SHA1
20f1f2b96df57f6ace0bc188db0fdf2b08c89c67

SHA256
8730c854822d2d881ddb67396ce23936e4b91a73eab0fb198a9b31d09ab0f502

SHA512
a8d44008f77bbe2bb806b8f9977c4a7ac44615f2ecc0c908cf8b65284fd7549bd349c3faad36bfe5c978489451f13245bca72c3534aa43c836b403d62e7e1028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f02f997b553d4b423cbc44473dda4f82

SHA1
7825332b3b644f8fdeb6a0ced57e4e0842b10dce

SHA256
8ba7f14ea71a841ec597e5b34bbe8c96d432f73c2fd70d9666f52c3c619cc2d3

SHA512
cd1833a81aad6561ce1d901861eee9304ff46ac62c9d6b9a69876d43e3c0e0c0e9e99f253f7b80fe85deaef2bbb06bba3330722d825fa8a9770d037d5a88328f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7025b34dee17795bb7c32ab70a44f74c

SHA1
0225da35d11056ee1035f012cf9d2f9a49f74603

SHA256
0a9cc261d96e52bfb311451da864e18a810ab2dce763ec68dc51f78bfe0c3986

SHA512
5be326859ac37240857f155f33764422dee0e45b99c6276d928ae1b280f7a2cd54df3ee3b2910de9b6890632b5637da85fd20b97098df4101b02a4122a9fc910

Download Submit