hxxps://drive[.]google[.]com/file/d/16CqpGMEPOiwXif4cumlCF64FJNHKhqMP/view?pli=1

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/16CqpGMEPOiwXif4cumlCF64FJNHKhqMP/view?pli=1

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786437594113885"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3204	msedge.exe
3204	msedge.exe
3196	msedge.exe
3196	msedge.exe
3124	identity_helper.exe
3124	identity_helper.exe
1056	chrome.exe
1056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 3668	3196	msedge.exe	83
PID 3196 wrote to memory of 3668	3196	msedge.exe	83
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3736	3196	msedge.exe	84
PID 3196 wrote to memory of 3204	3196	msedge.exe	85
PID 3196 wrote to memory of 3204	3196	msedge.exe	85
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86
PID 3196 wrote to memory of 2868	3196	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/16CqpGMEPOiwXif4cumlCF64FJNHKhqMP/view?pli=1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6cfe46f8,0x7ffc6cfe4708,0x7ffc6cfe4718
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2975986638946207236,6175553083366531811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc5e2acc40,0x7ffc5e2acc4c,0x7ffc5e2acc58
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1696,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1692 /prefetch:2
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1968 /prefetch:3
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3732,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,7117436798781436692,4790665244479342521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:3788

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e06e08d9415e426ca718825d7396f8ed

SHA1
5665f0d358c08d07f0ce86c1de1b51aff8807ecf

SHA256
73bf017855d4c1887d45055f3684f8aa144e53da6f8bc8af19b9628b714384aa

SHA512
6290584dc2346523c5ab1b0331f68ede2b3cdcb818ea4c906dec1799027363d3d7db87cd96bd8f3119c01aa593a49e501432e5b4b7c6c1296c7b6857996150c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
aca163e474b274bb08b6631e90d1e538

SHA1
bca73260da3f6d9aa7b65548cf936af0e7bebd8b

SHA256
43eb599f7873330e824eb69c06ce713f7017e3537e5dcb1df262d3913b21088a

SHA512
68b2cb26cce2fad49086061922c971ea06970b1be62f9236019f3b51b1ad337e50ea9f7cec439dcebafa40adffc504f8f7e326b38639d84f9d15e2e29f7cf463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8864392acaaedb7882223c33c7061d43

SHA1
9ce9bd68f93035f744969a06774ee0bf21d6d2be

SHA256
1b97f369753d24348e7a8196bf38f91b11077adfbdbd4cbae435fe4c5215efdc

SHA512
b661ddb9f97e4502f1f92fde70a770fc68e5bf45d00ce0f8dc12081065932cb6dacc98120185eee7ce0a81e3155b3f93467e2ca0932fc9dc03f4b3a7c9ac013c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b818b324d77e52ddc6aaef496d9f42a1

SHA1
8c464a1b1078582f6ed93c0d29a591e1729a14a6

SHA256
71d7809930300843bca8ccdac001d3b58f677cd8aed3cd5df9f3d093f98bc8b7

SHA512
641ec052ca7f2c1d5fb8e7be805a41d088a27c592db89f0ec39ad0ac7a396c45dcf455e0eea4a88ebc37a2cca017b195b4a338e8916625b2fe9ff6bc4c4c49cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
b3bea6e1e86217b854683f400142ef82

SHA1
b350b2738f633af5d1c2d5c139179c74fe0b77de

SHA256
3973378a47664b55d59f162ab05760ae1d141adf3f6ad86e386e42217d070198

SHA512
425876285326ccd9896022b376263a2b5ec19e5dda56e67c498bd37fb09ee69ef490fec0457ad34d5c68e1bdd11f5ae341e34be18bb9dd5b148cd2f3301b0368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
aa7389f6045ee80a9c6f6e0d84046656

SHA1
f14f196e9486968d1be968cfde930a2a09812e85

SHA256
2375bb2ec6d6ee9a6a41e9a41ff1672b9b01ede5661afe2a5db8abde300cb8f9

SHA512
a66e812ee6d4922be5d3aa70b7e2518cf02f9abcd2414d1fb595aaef5413a04e411c1a8dcafe076a5fe223c83a0787283439da8fbb144bf0a2b1d02b74b262e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
91513ef8a7c15eab7b50d1dbabadde1a

SHA1
ca9c1c9ddce336923f2b275facd2af6fc453f237

SHA256
90f1abc25b6ca6a0411bfee6444c9f9ef41b318a10a7b036c38c33ced4633cf7

SHA512
a5d90ce21fd51905628bf18e87014bd5ca0a7f5924f1ac0357f09635e84d8f8d6fab6fdd830950e012adbc42e4116bba02f5fa3418dad2292e7328a4c9d79592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4f59c2157c833c1567d04058f3963dba

SHA1
00f84106d487d28a7e37d0c5dbae32636c7566aa

SHA256
ce6f8fb2912bc554ed6147b87fb753a59b15a5f4a2a2b5dcf0e0381668f7f407

SHA512
c9aea54d25c213009c82a8fef1b2811ef2f8df5d7be8bd2cd17e5c103d082529ae6562d9bb1187a1b15db53694edfcef851cd7a3cbae5c0aa9f26725b91460a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f44322f1686e585fa3edd07f24b82f57

SHA1
c8fd617f0a2c4ccc85d2d79d94ace421862f99ff

SHA256
bcc49a5fe0eba8ae7c3d48cc4e2dadd28de7d76a0eaebe6edb67529b099c47c6

SHA512
51c83ae08354fc241fc2fb2bdd9dc2fcc57008fbab60c9a5555c6a1269494a0a80b8a0d6b544e00f79656d5b4acc9540b007d6e97163655f6c3be9c677a688f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e59d5d5d3332647d42441df69fc47eb5

SHA1
a79f679c2414c15a6b1c3ee4dc5d991bcab659b0

SHA256
820dd2ad35245aea974517966997c5a20af395d5d2d73d81a6967b99ea3ff431

SHA512
b08201eada1fd6d035456bd3e5b476524312edb3d83616a5207317b76da7247be6cf5a45cb5a8b57e76d73ff55c0402d6fe4ee6e952e5aff6daf3892aa842e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5abe127bd3b7c32cd05b35e128e3dc2f

SHA1
fcb2d99365c2dd4be24cf781b4f92a83b8d81c44

SHA256
247ad8b83e98b7b51248d242c21e926c86a43baac4470e9b9c53ac9ac16ecbc6

SHA512
d54dbbb7c0a57a3fde55e31d81d582ca971c788845485c572d28c2fdcbed9e9050b47ff4ba01060945306ab3803018e1c0a924b1e7903d6e0ae6a6b4317d0940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fe5fa283be4ccdbf62940292e00947f

SHA1
1b8af5a0e948b36bd624018a53df1888aa4b69b0

SHA256
c9664375514c78ff44c193d4faab6611d51621344357eed79f3c3779e040e5dc

SHA512
ea9a51ae232ea5c0e993e37b0f66d8a44d3eab75b22b68f35a37fecc26ec539e7edb90bdd1856e7921c850553979a437344731ca1a51b7817a4cb26f403c216f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e9a21ae3d8f5352a9cc92197dc5b585

SHA1
545fe5d4c83f5a53420cf9015940473af80723d0

SHA256
d0797804e1cb1658fdd3327eba1891b1b65c4dab52752c2cd5b79f54fa7d6b63

SHA512
d771911efb7725218028495f7156108cb6944609227345966aa290ae2c79d68d9d25e8387d7cbadf6208cf5dcc3ba2eb1fe6c85f7a68bca0dc47bf6b40f2e555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51deb7758a2017b8423242e968ca5586

SHA1
38aebaccc714d69323863a172b31d5e4aff38124

SHA256
7ca11cbe502689b64dc3eeb08d888059d7b870713d1e3599703392f37ae832d7

SHA512
45b8324596568f2734d5f4a86629703cddd6c028a5bf471d87d157ada34b8c5f67652163e8864f3b94491ad66fa4c717b63e434c2723bbacba80901ac6352bc0

Download Submit