hxxp://loversparadisefe[.]ru

Analysis

max time kernel
72s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://loversparadisefe.ru

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766672955252473"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exechrome.exe

pid process

2924 msedge.exe
2924 msedge.exe
1660 msedge.exe
1660 msedge.exe
3152 identity_helper.exe
3152 identity_helper.exe
3968 chrome.exe
3968 chrome.exe

pid	process
2924	msedge.exe
2924	msedge.exe
1660	msedge.exe
1660	msedge.exe
3152	identity_helper.exe
3152	identity_helper.exe
3968	chrome.exe
3968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exechrome.exe

pid	process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
1660	msedge.exe
1660	msedge.exe
3968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exechrome.exe

pid	process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exechrome.exe

pid	process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1660 wrote to memory of 4752	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4752	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1624	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2924	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 2924	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 3264	1660	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://loversparadisefe.ru
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf21a46f8,0x7ffaf21a4708,0x7ffaf21a4718
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1789464500608087676,16308851153437965647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffadf23cc40,0x7ffadf23cc4c,0x7ffadf23cc58
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4392,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3180,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3344,i,6207585499962442569,4089339833844635228,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:6080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2ba751c5-2aff-4b24-b658-bb25a2f13c01.tmp

Filesize
232KB

MD5
3b294ad116a38e94909e688922fb9fa6

SHA1
e9973227453aa00413723606033e2f1ccad3ef1b

SHA256
8e640e2d76201a2646f7aa745bd1d26e638e2982a8074e0ecf12165a8ab0257d

SHA512
9730961e906d488684b4d64049e728e1818a1b8f41ee577c1539d3915837a30e4cbc4c92fe2176f383c2cd13dd549f40bd1b5d0419abc2891bc3762822e4d78a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\87a1d9f6-7f33-4a74-b57a-a877cf5d38c2.tmp

Filesize
9KB

MD5
9f194fe22ac8846e51d3b05cce32d17b

SHA1
1543849863bf474dc3390118ee3c968ff2c06f18

SHA256
569f49d4d34257f0a7c1ae382391ff2b01f245d80985e1aefef8e9b8a6efb4fb

SHA512
8c9e6432f7359364a93fff31a4fea87de3398613d12a128716acea7d3d7584243649eafc2913cb1431d7601135c7ca66c8369000fdf2c698ca72a493e75b8d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9c8641f66f7441d8f27533459417958d

SHA1
163c30f15feae796105fe9562d3480bfc98c3075

SHA256
69ba947f683a778644c35575ab7be44b8ea08ee0360d1383bd905ff15de3d6d5

SHA512
e13bcfc8ddb2d00444b1bfe05302b1dd6ccac64d084ccdb2262be26f4e08c97167b60025423472e282d583210c34a42180f55b371167af68d8fbaedd9c52e5e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
76KB

MD5
e1e1eddcdd6e81e4f13ba5a834cf354d

SHA1
75b4573ea8da4b15f06b7dfeeb15f05b2b37a069

SHA256
ec52a5883503893a5d46f3e0c464afe42153bd7ac434858c8c374b6a993388c3

SHA512
3961cb00f12b29d19bde974497229275879df41a837108e7a07e8b25545a510b87376af24295ac926cd8cf335f3392e0d00215d47a7408be4c69f89467b8e602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e7ced82f269406dcef065c8c88a41f49

SHA1
0fed86ed00bf2d79aee8145f0e7e64dfa6d51227

SHA256
4f40c7b84c464cedcd9521c3aba1c4112dd49cea660f045b9ac2d0cdbec28d76

SHA512
c9e4af23d6963a29032ada29ee2bff79cdccda7341568374275f8fdc32de0c94e9286fafb658304cef4bf953807ba3a45e319cd4e1ffb6f17f387b277e236780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5075331947c18a3eeba6d20c0d6e0565

SHA1
0ec9cabaefed6a47565603b3bf0a989923a3df89

SHA256
654c8c2f3cd16168d741666a65e058adfbab88d83236a651638a3921f53f2f28

SHA512
7f0e3b6e3a178ce830eed6224e5a6d75c66d260fa43065351dec29f1a66fa93b0f9e1c501a64bd3beb680871261364db28ff4c2e019222d135a0baeb29f7ad47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
201c35df84e5a8e17ee49db812b28517

SHA1
2513a0ae565f82a3491eb30e321a055d52db78b9

SHA256
adbdc4616267e72875fda62d3ce7844f9eaef3d755c506c484dcfe75541d10e0

SHA512
eddcd074420ef1e6d2ed95507c22a1cb7c17b0cc93ed9eae56bc6bc1cc1bc559791ccaba63f87f5989e12e5f81132f1e6ef670df2c3de4ad5f5230ba021ac2bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1525fa3c2b350128f053c6bc4784a0fe

SHA1
159cc5dd9142e0c7e48da1e2aa2ae95c634b7049

SHA256
99fec67883871828faf18b27e8fd4503bdcd4a51da61dac383ab3d683370a539

SHA512
e021d5d43ac5bfa60d8ddd1caa74faca1205faeebaf8f3e71f44df72d399912feb8be64615ea0cc9196c2f3af1f9d4a69bd907df3773aa669bfaa623ded9484e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
326B

MD5
4d273e6207e28d21f6652250d684f58f

SHA1
0c627b5e134563e1b66e14b94576436d89d602cd

SHA256
1b3244fabbffb86ad62e54bee511f020086b6d810bf905922b99219ac7e38857

SHA512
36654015c3fa3e7e1b7bf1ce49cff64577d431ddb020a7fddec5d62d5cd3cdfbb1e200eff95cbf3b1d9e268fbdd5225c457809d044af691b9160791957f1e3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
daa4e511a3cf3c82a5b47ac6df87dee3

SHA1
d60fd0bcb12037c14dbc9a163f44ad421b87ef4d

SHA256
8c5e5ae6812810d11d65be793586eb58f438a8ec2b708634f398217bf853a534

SHA512
f814e143195df12262ba5b6999f933e752eed50bd6d2e227986dba05feb2262915a737fc0e92ab4b8bfee66f6bb6e84d508a9d76671c08fd11a3e8e585118b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87c2ab5e92946460e935c3bc9fdba5e6

SHA1
c3df53359c4074ed1ec0c0533cddc6e276458fa9

SHA256
91780a97eba2bb4a9b0c0502be976d85202d14ff8c59f6f8b46dd2e97dbea6df

SHA512
e4cbd074b22557b3b5541451da50b30b4d82ef67d10c04de9ace8571c3ba4934e86ede63645549df179d495187ecab3badc43685abcd1b7e228a9a4ed4da59cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a36d806f557ff549787273b15d9b10c

SHA1
5bfcef58197854a04502dd37787cb7311465ae49

SHA256
f3390d9d9faaa9fc21577326ed3ea023c9f5d7b9a048be65b24fa267f0b3d251

SHA512
64ad4656315b6d5f6e0cb16a1c27b8c104ef4d9d2429bce946405b3a9b13bba60406f566c87ec27ac5e03a31ae544524472fba69afcb67493c000f801426b89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
76c83108c3b4a1576c43f0a468078a01

SHA1
09519305b1315a0ece9c6e8f737db108a2e53229

SHA256
3d168cb6d09d4bfae396f30b1b4855638235c896ed2e87b1088349ee1999580f

SHA512
c9cf5ef9a04f78a3eda36f74a5f9b1ec710608321759443f8d704438bb3d726c9af8d85ba10813636ece68a671155e1a16aa60a047de682311b90bea9336e4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c59ffd7beea36fa28b857143fbe2c531

SHA1
5ca7c4b30f1f9aa6688c33a79608afe156c63fad

SHA256
e086670f6f1ac68f2fd3f60ed9474f50f171d9815283bf5e3b30428461779626

SHA512
024f6cec14abc75265f805fab550233a575d61699503f848fdaa57531967601f6f3bc3a2f2c11a1e25aada583a5faf88c066b9e41f6afbceb140f9ef23f4b7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7c4cbd7134f577c33f31f189a8404183

SHA1
59582a8ecec2b96304c647aca86243f511b0d7fc

SHA256
b0d1763c4d189d31fbd6e01ee6c245074d48321f380770bdb0287699245a3b45

SHA512
0ed86710982e1bca9129fc141fe83f04525bbd467edd41104b072c93b72578b27b957304d0d913989a64ce43715571e6d6a6db48d5fb2dd0582ebe5e3a19440f

Download Submit
\??\pipe\LOCAL\crashpad_1660_UOVBDVDXGWKROVZH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit