hxxps://drive[.]google[.]com/file/d/1BSP6cqskmsAqwKu6H53nxBO-VtL3DhFB/view?usp=sharing

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1BSP6cqskmsAqwKu6H53nxBO-VtL3DhFB/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
15	drive.google.com
59	drive.google.com
60	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772968088181293"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
2908	msedge.exe
2908	msedge.exe
1212	identity_helper.exe
1212	identity_helper.exe
1736	chrome.exe
1736	chrome.exe
5192	msedge.exe
5192	msedge.exe
5192	msedge.exe
5192	msedge.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2908	msedge.exe
2908	msedge.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2100	2908	msedge.exe	84
PID 2908 wrote to memory of 2100	2908	msedge.exe	84
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 4184	2908	msedge.exe	85
PID 2908 wrote to memory of 3172	2908	msedge.exe	86
PID 2908 wrote to memory of 3172	2908	msedge.exe	86
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87
PID 2908 wrote to memory of 1528	2908	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1BSP6cqskmsAqwKu6H53nxBO-VtL3DhFB/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad86346f8,0x7ffad8634708,0x7ffad8634718
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1152 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12006429195238889565,12175036697878880935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffac600cc40,0x7ffac600cc4c,0x7ffac600cc58
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4656,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4444,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3396,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4520,i,18247975804426571242,11718809994581554543,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\34a105f0-d4f4-41c1-8bca-ae0b6c294855.tmp

Filesize
9KB

MD5
e446a4d7744b97634ed2161fbff5b2ee

SHA1
a5e33d5813999dcca83d86c883d1ea894d84c352

SHA256
8baf4c8d2bcc907946fc1121627e7072a66a9d54e5e73120a617a111dbe2844f

SHA512
14430bfc336655945b67fc3cde7222c52b4e77f3621e82d5969e9d7799e99ce27ff65086b31d108feabb5ecbec39f79d5a183367357e0fae878edb33a2b70890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
69c791cc3992b0eb79ea0ed01f7be05c

SHA1
3e93cfe23002397e945b598c8ece9be94af67f70

SHA256
fe453210040fc78e75732fc14a8f516233171d1dd68b8df302a3deb81b7abb9a

SHA512
347883fa9efac52ac1ad0782f8ef400183615d2b3c444f5e6d629eb734569e4e76c676767b40a2592c9b52da8e81087df14f1e1d93baa7ecaa0a1bb6de09f9c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2b2695d79040b4b5962aa488fc4c3f91

SHA1
547ee2ea243465fe033cd5520f45dd61f8b6ed95

SHA256
1924c4253f03a43c7b2f11375c1a06f0427bc63cf319aca6bd29896f1de950c2

SHA512
58def84ddf667a592b5759754358f4a623fa066bc1aec797e00bfc15c3110e93fa26d6c8191d15f6f7595736a08bce4f704e045095fa0185a589e8a79a38cb65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
8292b2ab8281d44a35bcbcbf9001b6e2

SHA1
d22fb32844fb3dcc1ec7f9d07184d56e1ba9fc66

SHA256
0325ea2ce5a14fa2951a10e80e19837568f077a416eb2d21f4fe7be7bedabed7

SHA512
6f305e7b5752d76aa8affb31465368307d59cb76c0154494511ba1c11c48e1cc60b1ce3788cf67cd81d873b563185a0928ec361cf9c47bcf49eff6a5b18c9f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6277638d824b184be476dd299a9563e

SHA1
f5b395008863e41b31129deb432ee9efd0c03379

SHA256
e408799c3f8c005fd7a20ae242dd596afbb9b7236c732a59432875bbb97bfe9c

SHA512
f20339a6581483c918c9a75b47fab81e5acfd5d9399e9210cd499234d8d62f728ad4ec52e177b6296691c1f44c14b957ba37c5989a1e56c6bc6bfa66888d5b18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6b5c8c63a6ec78f8832da5f1c022ff55

SHA1
bb2c884a2b38e92be6f4eb4c0bd7cbaaab4b86b6

SHA256
c248321e1603382ae0ec25bc5a5ce1120eb61ddd2897bb5b4b1f284c83441414

SHA512
be6059214fe9c2ce85fe948906c2bdbba7a58cf255bffcd8ea4bf9d4298dec7425c710c178358dca26c9463a7f21ad91215b6cc8dd5959957be6651717e3a303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16722b123a8fc7ea50c10d758dad629c

SHA1
a485687c88e218f401d1402f4b3590a615535c4e

SHA256
aadd1ec40d264c9944161175da92aa652a5dc56c48f5624de7e0babe5f4e5a8a

SHA512
4c84764032555002d6254c5ddce4018a8747277a9bef6edbe95e5e0e15e40f7f8ea6889ae6f4b696c1f6c70f771dafc2bf5ed93e59a87084290cf172456cd67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
918ba2854a7e957ff0733baa4ad67003

SHA1
ad0b32cee6e078bdc7f7fd88444f37f8d49bfa37

SHA256
d84c0a621187cbb9d4eeac825791122310c3b0b77818c51c5823ada664a51e85

SHA512
a833af206e2a6ba57f2291b2a24b28ed17aac53800615ccea7967d11d56b7bcf6c3707765e12cddb8a2caf4dfd90ce7cf5f21a37c9a8e3168b530bf8e4d38e4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
287624cd822729906009f8acc087b996

SHA1
6c81a556bf3edff9b15ee95e9585e4cbd5f5c2fd

SHA256
bbb3f040e6af66dc590a9e181df84e1fbffe8747c2574608ca10ec3c60a66553

SHA512
8f83c88aa8834a53a32eaa16f23e8ba37d54aada669926042521f3f9f11e0175126d89f83c53609f08f14f561127088e53f20f3d3b4f76bea84dabb0724a02ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
980236c83582e3e80f7c14d7253b5523

SHA1
4199c69a645aec288bd3eb70f794b6b6b779d4f6

SHA256
e030ac1ca806508b3de6c75b086cd2b572cb17f125e3270dea245852a942e27a

SHA512
3334ab5ee9115943f40bc27bd2c3aa696294f67ac2fb932da121f6ec041aa5057241fa57caf0be5b8633a7395ae6f7aeb769c82538c6074f575d8fa8b409a299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
5b0af1a6db55de7cf4f343ef0124166e

SHA1
f0ab91aecd9ee034f861f1f312ae08bdecc07083

SHA256
8247bcf2dd4764448fce1de2bb59a1dced4dbd874830de064161992259600f8b

SHA512
213801d778faf336252e9c8829ada21e698bea5e54946ff9106379555ddb22db89a8dbf1eeab465ccdf4e9c8dad1f82d5edf605925da6706d883d12b99a66c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
42120d0938d609cc81d0dabb6eb13d00

SHA1
097a1a3d8a84699546147a8df5fd3de8ce8b0181

SHA256
b942f410f4f34d2be239868d31e557c077d4e9bf5d3401e5bcef8812e3285bd8

SHA512
47bd26b8fbfe8e7015f91c8944184507416c111366469a1844aa6401f72829bab7080b0197477a16bef115cbc4b547e0b9deea56e4c54bb13ff74ba519d41b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f22f944155c370b66cc323b519e04ab0

SHA1
970215ac146970a1c1a7a20b0d3441f0cf0428fd

SHA256
d62fb1296e49072a69ca584b142802eeec75105e3909d410882a216e2c8bd703

SHA512
aa054defeb2a7e3bb0e352b5b118215d7a46c5f882d56aabb274cde445af2c5187973c51f6d1f41fb6b91629fc5e65b55c7c5420cb5c6bec257384d1de978100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc5efe1b389da6f75c3cc8d2498ca863

SHA1
baaf133d23069f5cec8a7a54fa1bffe5bdf2502c

SHA256
5c03e1fad3085b4fd5ca8006dcf97f5a575c5fbb413431b9c9b9d50a13a48c1c

SHA512
1d0764e79cae30b6e74cdd572c45d7bfeb6bcce3814c99ac301174c13cb115a03c4e7f9183dbe009a1961a6e46fb63df933a1d0ae10ea94ed01069df04f9d9bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6600bf293fa10e37073d44dd300910d

SHA1
73ce071ba5e7999dadb65e63270f58260ba8cb2e

SHA256
e7021648fb54736e6a355f3a923e1c253ead2ca4d4c50f9879c14c53d6fb9fd9

SHA512
f14aacf3eb53b7cabcca345e014b2868dc697490c1db961a4c3bc4ed9761daccfce327bdb0edd9f310744d02783139fb3b89fc0c1aa5540c87cd64e94828816d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
943f319c7621341611520aa8e3e1f7fb

SHA1
79a00c961a652403de2008df18725ca26cf74dd1

SHA256
4786cb52cc75573b4561bf9a10bf882314a6d4c096ad308105537ce7eb8d0991

SHA512
c3356fa286c422c02d541ebd97a732dddff6f737be3c38bf78f870ccf211aebb0be42dc3cd3e12875f773b206113995bea6bd210dbf7f5aee30d33917f480144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
05310d461da6c8a5cd131feb25e7a832

SHA1
50fa2419d7075db9daf222bef736f2624ec2bb8a

SHA256
1f6337af50421cdc73030865021043f050af88bf1e568b0f3d14b10b62b5f3d8

SHA512
6a55ccd03f43a717406cc3cbfa0707653b6e5c43ad82de93ebb9f9536164a3816c30a7d63021aa360982aa9604fda1ef8562d3d15c94631e99d50188077aee16

Download Submit