lumma | hxxps://zonytrade[.]com/

Resubmissions

04/10/2024, 22:23

241004-2axjcszbkq 3

04/10/2024, 22:19

241004-18vxratfne 10

04/10/2024, 22:16

241004-165deatepb 3

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://zonytrade.com/

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4492 set thread context of 4580	4492	BootstrapperApp.exe	122

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2216	4492	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725541111329239"	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{DEDF76C6-CA84-4565-938C-ED9391EA7786}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ExеًВ.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
1532	msedge.exe
1532	msedge.exe
4144	identity_helper.exe
4144	identity_helper.exe
2652	msedge.exe
2652	msedge.exe
3472	msedge.exe
960	msedge.exe
960	msedge.exe
860	msedge.exe
860	msedge.exe
3196	chrome.exe
3196	chrome.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
804	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2316	1532	msedge.exe	78
PID 1532 wrote to memory of 2316	1532	msedge.exe	78
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 1280	1532	msedge.exe	79
PID 1532 wrote to memory of 2724	1532	msedge.exe	80
PID 1532 wrote to memory of 2724	1532	msedge.exe	80
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81
PID 1532 wrote to memory of 3356	1532	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://zonytrade.com/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff88c153cb8,0x7ff88c153cc8,0x7ff88c153cd8
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,6813635627051285654,2090191775339547766,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F0
1⤵
PID:2992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\Temp1_Executor.zip\Executor\BootstrapperApp.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Executor.zip\Executor\BootstrapperApp.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 268
  2⤵
  - Program crash
  PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4492 -ip 4492
1⤵
PID:968

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff87810cc40,0x7ff87810cc4c,0x7ff87810cc58
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1764,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5744
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6967d4698,0x7ff6967d46a4,0x7ff6967d46b0
    3⤵
    - Drops file in Windows directory
    PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5100,i,4896177534016981665,11153848483518598309,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:5868

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0ff21b5838bd5e2630a387a4c56a568a

SHA1
51fa50589e06fb2b59550a3c05897b137437c0be

SHA256
76bbca258d18af6eee8ef3af24792e255fef8d831968e18373848259a506b62c

SHA512
11c3e8ffcfd8b88249eaa7e7f1688c94bf356305662e211773e93720ace0e1d6b9ddd94a405ab55338d20b92bdd0b975361ca9f7040ee53f8d454c69a8ef44df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
da505c6a0faf28b0182c85cc53e12453

SHA1
1d7bf1c063e8a3ec373bd7aa9dd2913a2ada7f06

SHA256
22e16ba29de02398a4690d6099d2683d7dbbfd006a017e142cf2edcf4f830e52

SHA512
75a0131e169b6e6fad42c6f2abdba2d59f46996427d3fca8ffa0dce288e434d1696142845624ff2d8894807b196949697d1bdb864defc7e8d4c39325e5e14707

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59cb34e9d06fc4a5c519cf458625f28b

SHA1
9da8d932759709ea493501799cd2d113a5e58ace

SHA256
1d4270fc00ae0a6111f583ac1e98d078f13b7fa7f103bbe304a13e2510629b26

SHA512
1a688646174b48cdd7a6d4180a4d3661f70d4e8db48dea6b69b340b47a60c7613f8a3122cd92e092a620e3af64d0945135df552a97aa61709205d500eb65897b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a4a2c6639d2cb24f3e66dfecad03f93

SHA1
af7a1752cd3cffe7a8af7624f48e823df042178a

SHA256
0b40176c178cd12917225e7443c56e30d6aa3ad50d2bcc07d9a595995a3e41cf

SHA512
c762e97bd302049bb98ffa5941bddb956a456f9787178b75546e43f3fe648fd9365a5880b290bb1595da47ebd46fe51e48c11528b18bb265d7df33d7214b5b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8b3810caf17c1c944b48446c5b37d1b2

SHA1
bc505fd7a7b6e4b4a7b413dec001df8b0ca9015b

SHA256
16a609f6df307886f4335fe0a8d9f7cb77ef0ac0e92b401578237f3240884f23

SHA512
a8ce7a53d9a665bda2f1d30848542d3c29579654a6efc8ebfcdab5881330970de799022277a1ea1ec68f9aaddebfa80bc898f38e0022338dffb87c5d0edb0651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
b5a1fa048264c7ec766c59115c93667b

SHA1
372d2a8faeb3d946f05b7a323435fff25d2efe6a

SHA256
a458193c1962dfbc9668b12db78990860c49fbf262cc3bbec5acc0fb9bad884b

SHA512
642211bb2f98cf44988b00ed379a1370a48ff2cf8a8649b04f2210f185e327c6f01af19b0b3a66676c86acb654bce62c5cb007e8aed8cbdb23cd4f0ef739ef54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9aa0c0906f394ca106f8d85316e88c08

SHA1
696d0349c69e43fe2225cfb613a0d8c3a451ccc3

SHA256
b68daa467722d1220a8ffafa8687dec08d9c0295c5f4ec4958d40dd70f645db8

SHA512
b04e1d0ae6cdca6b6637bac1aa201eeca3c5dad1192c52ae0619f4d2c82c3aa701261f3eb8dd162b3e8295fde56ef419af8f0cbbe076f16e09765607d842ab9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3690eb7b036fe9b287acea2bf9d39673

SHA1
5dd3af5c6c98ce69bfe4da9a683b9a23881e2dcd

SHA256
cca903e71ca6e3f63a17242ea573f8f0ed9569db4e765c06056aa4318eea67a7

SHA512
cecd668cbf0ba40c30d979816b9ad4190f6476014a99272e1ac425c932db39f630285c5b730de083591dd0365834d162d4f077b7c5deceb4f3688d3a88cf43be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5d9b99fe79cc7db538756e84ae4f9cd4

SHA1
114ffb2ae00c0b0c22d73dfe3a8857b8db31fda6

SHA256
9ad4326f1edf1027ec3ce4b4adafb6d44ba7bf992629fa2336ca611ae1e6bd81

SHA512
8a1a4422084990dd64cab9d08495a0d1f9377e5499cb315308fc8193c64bb835daa749d709a63d86666d3a490566a65a9dcbcbadfde97e4e9e57077d663fdb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9bc95a23fc742c2ef25277717b0d783a

SHA1
563a492f7d21f261df6c11aae8b7c75012147e88

SHA256
97c571835e9e20a6d4fa149cb782b9f62c1f37772fa511b7e57887ec67c5d7ef

SHA512
1ee802243500c36a7e0002db4c1050930fe76b438d3863d2ce42b0b09fd90e577feca06cb4ceac2dcb01b33a43202d03704b0d0bce004ada02b3f2d611cf7fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0857b89455d720789a0e04ab0068b6e1

SHA1
1ed5b0d044820abe77796945df59b2ac2561aac6

SHA256
69334da4107570bc9d42cbfea4f589d4f34826c213c40e8cce26e77d49e82a21

SHA512
f3f9871cb38dc640bd806d2ec79f7f32d49947d527b4fa8898548f3f137bba34f5d918b98cfc3c9d013c1d1283030b48ec345bc6643a95e25f52718fe348e432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11673ef804959106ddfb6e5c026c73ba

SHA1
775a81e899c4f2897a064505c0108e53d4b9c706

SHA256
4f1a40a363e66543959377b4ae6cfa7ba69a39e6433eb5c6a521e1829b555f69

SHA512
885ffad1e615e509c1f7c9dcbee86cfcb7c866adbe58f1a25cd4942a420aae6de2cf5cb09e378cc557215562272db68e0d520b309aba452b51db4699de6fc4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8279237784a6812088ff28c0b3a0b124

SHA1
549b2e75619a3f7d05def6a46e4a0b484572dedb

SHA256
710d1386340578a0218709d9862bf86e1ee9e3e91ff6941f02de4910ee5c8e43

SHA512
47a4c4d36ed5d4d85fbeb53f70088c5f6091139e514d8c81cce4be1c473a788d7e2e2a005a05ad01c033879dec063c7bc7687809bf9774d2f76aa01c69cfe822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
917c8d7ad455c806aa748f953f47b112

SHA1
0783ee146b3cd8bb8420aa7fae9daef46f68f816

SHA256
899159c82eb2a65097047796a0f66a89d9a4c7b636c99bf7b9029d8fdfa93d37

SHA512
428fe5148e5a4ab4ac57ead83f0e8e7ca78e6d57d0262942ecbe336d6639abc252c0ab6f89b66dcf1c22f6c49bc1ecc94d6775f1fb71ce7539506c8e21ada5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1d4b486a1ebdfdc20f240a41de7d79c

SHA1
97546000476e2ab4a1e9457695b8b3799f891de2

SHA256
c24c5e12275c7f64170b82d648b8122c5e93d755de17b23edab5a0c12b29e12f

SHA512
418a4e4840018b3abe5613b55c312289497f461e4ee317d64ac116679c5c8b1fb329aedae5da3b9df0be0729d30efd14e8dbd9d7d5a539fdaa9aefbe67097d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5ae6d9c4659c765f7b6d7e6f3554942

SHA1
abf5cf0294f9c07c7510d4abad3f0220d5aac729

SHA256
62c99c199922ad514e00f5f1022fcfc7216ddc35341f0c1c50c7f10bad08183e

SHA512
65238d71acb655737b84024ba6cb474192083bd130d067fe5d92d3cf015edde26b3ebf52ed3add266508cdd57ad517e07e82c145d99c463fbb8b8b2ee05e36d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a7b2c6abf4e849c3cab615c87947e440

SHA1
494620eab4d5386416f2cdc9a8c53b377b20e93d

SHA256
fe0f695f89bad97583eaf4300537792b056fc72da23369104df9df6d4d26ae6c

SHA512
3a30c6d200561ea5598beb734c22d8aeb55c5a5daed4058b6c812b68fb0da7c9d1be49e3eadb9231bd981a5e82b25b0186b4a351acdf660ebdb96f06c2b689d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7e0fe4e29f75af5f785b98654e72fdbf

SHA1
fe8c8fa8f100691e4c092159742ff5d98d0c52a9

SHA256
171b599c7f7bdda7785d2dd8540b84acda9475f49271472c0a161a85e0c4f7ec

SHA512
0d2bd9ebec40132a9cf07e839678f5c51b2aa172cc9fa6620ad8317119c639d159dd3089aae4311422aca05e4d48104799554f8f529bc2415c88d29deb351851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dabcde29d527daec8551aa06dc203607

SHA1
728367e0e53866e373b7c5e47c970c4bdfb93d89

SHA256
e4eef283537bda6347738fd075a077966a83574acab143ef52259d3dc00a1b59

SHA512
9a43fd7bdb8725f4d662f205d927412bb57d90c5abdbd95e0597714ac5e603a1a662dacdd4a0404f74eedbd9b02b8f427707ae2fc14969a31e5ccbc0d3d78297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
dce5746f3992a3d3384732f170d0d4ec

SHA1
e2ff8badd4614e90eeaf9900ab028cc1b9900d9b

SHA256
f8da2d368668c5390cb7c22081c035416cf3755d737fc981351e48081d93ecd4

SHA512
a3308609430743188e9d45cfbe50197c051a877221fd0e55ab2ce7bb45be5c7bac03f8aac477c6827e0f695ab67ba5bf1bcc49a4ff77e424e44cfb90400ef291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3bc66b187fd5fb02dcc3d8496ba2c001

SHA1
247868c354417d9d8860e9cda83780233bab7a38

SHA256
0285ae29d26c96b89627191e36b464d4fd4108361a6c1e48b4286f82ed7da4f5

SHA512
867b973ebd3967ba7fc96e1c4ae26a4263fb89a082b2c79298f35f86d845a773cb50389b08795091415c506789307a5ffa5c7b342f4ea6de529d238819659069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
089fdb222542cec3876d297fbaf8d611

SHA1
414f860060d03aa05f14f56215f9286144307507

SHA256
443ebafd154b672502625a8800dda0ad76ccf69bc09638adbf1f95f36862a95e

SHA512
982791f244c9b801f231969847bfe5a0cf7a11325f1e5d53805a3437ea94549587c3f4c3c30edeee32e058dc9e135637d4e37fcbb052abf16eaa695ae5872d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c860792a7f3e139dfe7444fd65299320

SHA1
808c5c28bc8f15638b67c195b8882a8398bc141a

SHA256
d1d838835f3fafb5fce75d6eae621407e1cf8754f95fa39fe32ab0d1c8c6a765

SHA512
360762e284ba051d1cce0f7ec89e90422ed577221f615bc87c23fa5aa19cf5ca71a8b153b475346ccc43be9878b83b3e2f38f2c351f565bfe68dbed6e07b89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e835a254e075433ca3d4309c9907b8b4

SHA1
08d7a66fcb03065418db98583408f96d5180bf4f

SHA256
fc712df4c3a16bf454a417a237e7ca20fc715dc08047eb31a74343a1a3d0fc4b

SHA512
a7701ac4a87fa1446e5c10c60c05d60451a95abfe33b92bda7503a214a617de4541b5e54069c16b42f9a7a26c43b342dd3f803d644de3a8b93bf2024dc6a9f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a6d9555b56a6ddd53bc64ee4c52f663e

SHA1
be8fa435cd3c5bae1b144f85ada83e12acd9bf96

SHA256
51a3140418e4ed11d9ab5bf4bb12b80f0e4d73e326f50f342217cd433ecedf5f

SHA512
07133c7c2837e18d1cf8fab699c9195030d453401259e1e54a11c29276e9980c29a2e12b25a7c4d0acc1b1e6070fe48435b570e6e6f02aca20c603b2dbe793f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fccf.TMP

Filesize
1KB

MD5
7d4cc5276f4ffe078aed1003c476fb97

SHA1
1b71abc57c122a897d9bc567cdc23d9868524ba7

SHA256
3812c0c3051d7715a9358167938e46359d7bd9d32799323acbe4e28ecc7a15c2

SHA512
04876bcece24fcaf4b0d791190b588e94e2d60955dfa4c92c813e718c72b2147d7973143c9c2dd25368755a20c27a3c57b7369be3dc05f37512ae52554c63a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
afe0758e0ab090fd625dd2a07c7fa0f7

SHA1
23097fe0ab508773bf6fd630503acd0522937f19

SHA256
e34ae5c160b2c2c052494fe0d7a220d2e6e1079f8acf218c7cae6d09fb3a6ba1

SHA512
1c37bdae9643e8da4131f3a734d28f0ba98d7b4e64cbfd4fb2f0f324edc2e01728ddd1073a8a3f765aed6c4d04b3fdcad4c5698340b147aa386053dfb2bf3082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86906cc2000ac4986ac3f5091cfcbf9a

SHA1
2622983a168d77c503db2abe53ac6e85beffa32f

SHA256
2eabd51ab53eede267aca61dec14af49968f7441de68e01c790b611876eeefc3

SHA512
ec7bcfe7a988c5900a8f58f152999b5f3ea3c93de24a74e89d1839be09df07e21b053b6a3221e5969bf3b122adb3ce0ccb6fe532f4e3fa58dd95509d486e2c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d384f27a51077555cd7c5cbfcb2fe3a

SHA1
69e4f677e002d7033cbe8d80e60db4735f1dc789

SHA256
a66ffb2def882f7490f5cecc719124bef0520bfd98c928c4c7daa7fa4d1d3dce

SHA512
10bf89347584191a3fbefdbca80fbb4553857d38cc9bfb532832c9bab3b49f1dbb2b405c7f38a7f19ac2e2e72e764fbce5c6253d59fc93098fab2962f5d4da70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\ExеًВ.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4580-999-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4580-998-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download