hxxp://fdfdfd | Triage

Resubmissions

19/11/2024, 14:02

241119-rcl6as1qep 4

19/11/2024, 13:52

241119-q6nesawgmg 6

Analysis

max time kernel
146s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19/11/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://fdfdfd

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
14	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764979740987939"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3632	msedge.exe
3632	msedge.exe
2332	msedge.exe
2332	msedge.exe
4736	chrome.exe
4736	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: 33	2576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2576	AUDIODG.EXE
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4624	2332	msedge.exe	77
PID 2332 wrote to memory of 4624	2332	msedge.exe	77
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 1700	2332	msedge.exe	78
PID 2332 wrote to memory of 3632	2332	msedge.exe	79
PID 2332 wrote to memory of 3632	2332	msedge.exe	79
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80
PID 2332 wrote to memory of 3000	2332	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://fdfdfd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fc6a3cb8,0x7ff9fc6a3cc8,0x7ff9fc6a3cd8
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,13282780668935909623,10262154822054390938,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,13282780668935909623,10262154822054390938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,13282780668935909623,10262154822054390938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13282780668935909623,10262154822054390938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13282780668935909623,10262154822054390938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13282780668935909623,10262154822054390938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fc46cc40,0x7ff9fc46cc4c,0x7ff9fc46cc58
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1716,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3576,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4580,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5228,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=5248 /prefetch:2
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4376,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3296,i,7659876447532837308,3742205257291389776,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:1656

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
febf513cbcbb3dae59c3bdb723fbef46

SHA1
f0450c541e4b9dd66be3f76e3adbb25fa8242f3f

SHA256
84fe1c490be10dfebbad73384b887c78cbec0f2d2243154e681fb162a8633dd6

SHA512
af7e544f81865f9c3094658710e4d0d3968c696a6c4c98a1703064b8fefba896beff11d51ceaaec1251502c3fd54924243a7179da7efd8ce8734a4dce7dbda96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
1024KB

MD5
787f2c88374a749ade57f97ea9628e9d

SHA1
bd0d8423ed9d271e1d24e890c7b91a03c29fd861

SHA256
427525d52663db6d11c842fa447fa9f721b0505033c7a9e9f20583d4e634c2c8

SHA512
97098ed542f0ae23b83500650d391c18e8855fb35833fef41c11adc1fdbb746d2c0c4a664458c77d1349865dbf032f924eb6cfc3f2e8249faff9653502b89eb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
1024KB

MD5
3cc5fe9c801840527158aab70bc8b4e8

SHA1
026e6af6ed2d9aa8b7efea6bd43735281132e4d8

SHA256
123693dfd7a653787b168ce2e25c540ca4e0e2933fb49eb13174373d90022201

SHA512
a5b0b6d60d623dfdc6a232ab727d723493c87e1c054fcde48c2aa75af096306ef0d544e15e8095fb1815b1b6b65c72d3a7c7f4c17c5e9fd78a3ce704359df747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
883KB

MD5
6f25dc9decfdd72b4224d43ffd2d3d56

SHA1
e362acb6108941dd8f3ee26b89cc4c30f8b147a0

SHA256
9bc42ec3b36ce6fceab953c650e68ce76aa2097b234e17e233e56d8302bd9c6e

SHA512
e6e674a32127adb6e55aaa92d9fd57d036af336d8285de9bd32b4b077ac30343a15029cabc8097157c2cfb74695a1fee2234f9340ff2a68d642802840c9c7a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
39deb92c7facdc23a12b36b5f0ce36a8

SHA1
45c4aaa7018f95304778f0e96f9015f6d247b8b9

SHA256
94977863c3d7a61336d85f44e741dc8405dc74cbc381ed7fdc9dc3b36cf3ac05

SHA512
ac80179058af8291e27c3426c5f7540577b9e1428c470d752995373d04ef58a47dc463b9cca82cf872418a25ee5f08679eced5fd5fa41bb89b53fc08b570143d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ed69dd2f4398ec88b7597bc9af2df571

SHA1
277822f812f3e47da93135e38ce5d4aa26fa418b

SHA256
48c794ae9b7b97ed6567e22a3e2eabad0858954c49a899ddea4b108552ca46ae

SHA512
a90a5aee01344704a3a76f952df07eb64a06fc95ced0fadb3ae135febb973e435fb4ddcbe801488634932d128d6933486b27fe54b4ea60d30ca4e868431a9796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
2afff3b715e8e86b0b539394a78b2d7c

SHA1
6d5e7c6e32020616f3d5ea26fcd9a56e28038fa3

SHA256
b383518d7dadc8bd24495ae767936165fa23560bc8faa34071450bd13f033a90

SHA512
7626c8c6c8098bc132ef8a7e1ff836f9d7bb98c7601b640b3dc4bef1c13b26e7ed36b6e7c531188ef149df7e44d1b3028b4a0531269e656331143bedbbf93f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d2aacb6dfdfa262b63d1d72cd3d8fcd7

SHA1
cf03ff1757307bd6bae7f821a25c3ce6a7054026

SHA256
4615af7d26003a589c02315efda92dc1656045c380506e6b2934e41739f4bb55

SHA512
c7145570822ea061fcfed04d11ab7515f1f1479328bb47272666f3a58c58f46f3d39b08f7204908813deb1e8278516d71bd996ae84e7c8844a306a24df63b1bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
262414717218d25d1b91e596083b0e15

SHA1
381a90ec318f817af14ac9ffb1f573783429f7e6

SHA256
c21df862e459c9c5c017c62f359a0817715ec37b539a7474a27f6148f56a114e

SHA512
9f6456dbd9eee8d1616496a2d424d735ed7a546467f1c6ac18e68d24fac7a025588a1db7df7a11d7bea28a1aa4898468111bfb48ed81fca8073a5c053cf470ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45e2f9b6ffbbfd37dcbdafe3a1526ce0

SHA1
c9e91f878df22a9fb8b0a0d2979194277abc5301

SHA256
297f3ac8e2b4c74cdb59cb878576a5fc2817d1e527055c2ef5beae2e4b9678ee

SHA512
cf60b6d3ecd864323316fc0318e6abe9e38265785e0535be4eac67bf2ee2c6dde1473468398b0627e13088be3a7816d005309471458a954f9c3c05330131d804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0e8743a0bddc729eab3abdf786202598

SHA1
a91ae42d1ee762864c7b9358ca0f2f795e2f7c18

SHA256
630a4553eaa0301ddccd0880bdfdb8bf68b33725782b608b776488258dff63f1

SHA512
ae5619670160fb8dce9b549c8867b65bcc20dbe2d171235b657c0e2b9c877377e2fe9c74d1b9a884700de317a8d0bfba07582c71422825ff01e578442a080dc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
afccc39d053c5fbc9a6d5c7b212efad6

SHA1
dac8d503d278595a6d8b89675f5d5705f21c4387

SHA256
c720e4d21c6bdd25989090121a9c80314cb1564c22ad7136b45ce53b57354514

SHA512
feab16b02a19e05486a0967ead0efe05be6682fcebb9e7c097cd4faf394bbdd7f1b6378e9c77f50191b4cbb907300fb8babcddd6df5594017f2e42fb5eba6282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
8b80c3b68ec0e113f4d7b091aa17abc8

SHA1
bfbd1a87deee66ef0bfbc92e4efa65fee7d8e32a

SHA256
6b6946ae8b6faf33836b02b7d1d58108144649ef8763c1ebe873144900b92ae5

SHA512
71fd723084e4a7cf277a09d25c245c1711f1125759bae70fe2b5fc1ca510bd1cd7fdb48697fd3e9c7f1af04e88f27c8c539276ea382a039ec6804d4003a728c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
31e747e81bb5c360f8d27d235000adfc

SHA1
2c9aa0867d5092a174a7902a6455c09aa3de2c76

SHA256
1458c29a2b8853f960bff0a8de51fbc3a70bda0f187d2be443aeeeade86e875b

SHA512
5760d0d59d7f508b7ba3a1da608c9826694c6e1a07bed7389ca7e4a45e849c7431fc322f2762573da7587e86e418ccf7229b208a25e996bed707d41e4bab3627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
065f080bb8ec33148a8f4dcd13f67299

SHA1
4ce122a7ea3cab8f3f932fb33bd83aafe0dde3ed

SHA256
616ede5ade01a4a2fd3a5977dbc26361bef87e394fe1790c9067023a55189655

SHA512
99f4393071c2303b937a8d6debda9e4621b2f58c73d2f6004cb4d8739ef99ec6231c26f41d53b79722062409ca73524dc6775f99fabc90df3cee3ab13576b9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66e3a3780c0f68c2a89c71ce06b002c9

SHA1
4ab6982090d43cfcfdeb4bee98d8e4916e106413

SHA256
4a1ca6367ab978826f0208150df20e039d410f768d5f972ad1a53aa53e0efa91

SHA512
2188eda8d265c5ace2e73488b2c6e1f8d9455477978b60f392921575c4ac4dda0cfaf1ea66a2f4dd9ad53fff9cc842b6781a09117db8b06bc975db286c3d42b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
932aa361c4453e06ea0c8d2149e07f4e

SHA1
0c566aabf23bc88e580e6ee331d83917063649df

SHA256
2bf00f90bbd30e0e217dbbe93bad4b29ce5fef9f8ac48d0c39784f46eb8b0907

SHA512
fc1c622d07c8fea805035927ee45aa71198ac9ed8d51785485a6cb0742427e0ff5aee676da246d83e40b04baf9fb44d6ad0d8b54effb5a3e2a90b92744bb24e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d4dabc2-1a32-4b8a-81d9-75273749ff9d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_1452445351\38a2589d-4e2b-498c-8c03-6dfd3a44974b.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_1452445351\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit