hxxps://drive[.]google[.]com/file/d/1NhLtoKeZNklDjKWCayY3dCuYDCujo5qc/view?usp=drive_link

Analysis

max time kernel
63s
max time network
65s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-01-2025 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1NhLtoKeZNklDjKWCayY3dCuYDCujo5qc/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
87	drive.google.com
88	drive.google.com
5	drive.google.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5d45cb26-27ad-405c-8a28-1308f5139fac.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250106200327.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806674442039092"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5324	msedge.exe
5324	msedge.exe
3032	msedge.exe
3032	msedge.exe
3996	identity_helper.exe
3996	identity_helper.exe
3132	chrome.exe
3132	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1540	3032	msedge.exe	83
PID 3032 wrote to memory of 1540	3032	msedge.exe	83
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 1436	3032	msedge.exe	84
PID 3032 wrote to memory of 5324	3032	msedge.exe	85
PID 3032 wrote to memory of 5324	3032	msedge.exe	85
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86
PID 3032 wrote to memory of 4800	3032	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1NhLtoKeZNklDjKWCayY3dCuYDCujo5qc/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffda70046f8,0x7ffda7004708,0x7ffda7004718
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff6ee7c5460,0x7ff6ee7c5470,0x7ff6ee7c5480
    3⤵
    PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,4495821558004064741,4954743059670147241,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ffda6b9cc40,0x7ffda6b9cc4c,0x7ffda6b9cc58
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:5432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4132,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5244,i,10358758375827917692,1389803320456481424,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4912

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3d126297ce8b8541f530cd58449ae311

SHA1
7f248d5aa9f3dc30a3eadcd549fe976a4842e5fd

SHA256
30cdb5c7e29e52588edb8db28b38496b41700030dac3af306d93c70bb268108d

SHA512
e61861e42aafe0ecfd688ed6cf14fa6d69cae97da669fcc7345845fc38bbbeb831e1291d01617437fd75a45ef1bceafefe3aecde94b6f76cbfbf0549172aa643

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
84eec30d667b06e649d708309ffe7e67

SHA1
9378e3572f2c1e6607de1b9677409e7449a4fcd7

SHA256
0a5971f314a176a0601e443fddddbd0ab18af59fc748d8dfe8cbfc883f66cf2e

SHA512
60ea4cbbc1c9efa71e95fc883be9f214e7bbbb2f17240827c4144b6a63f7aa4f22ddad8bb1622854c56df0d2f6826af764705c403cc383915e74a2f24395cefc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
43a87522f442d61fb7538ed2da9185e4

SHA1
dd3746b1720ad5beae8e31eecf06798b8ebd3c20

SHA256
6cedb9267177c797a704fb97d8ca8db7a80e841df57c919cd7e17c6053d152fe

SHA512
ae0ffe5e86f5d8294659d2f27ae58d20282e9c4601a4779a1c3bfea9a63eb3dd757dbb04a3937cedd9bf9f7ae0dc61ea892845262325bfba4f649876287be719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
190c0432cbb50ac992c7a60469c97a9c

SHA1
1a2f29f538faef92d4d8add7cbdfe72bfe8e4c31

SHA256
2222ca815b6e687d85198933fe1f481bff871c6025fec65dcfa0d6bd9d989681

SHA512
be9e8ed4fcd3288f148ec38a75e1d1354d9f7a78c80c6e57f51bd9af068db67603c2bb2ccac9a82567c825d62de1409b839dcf00edf7edaa4961e7772d643c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cc2687af52ce41c0868e4e8fbe97a71b

SHA1
79e9f4be703fd961448a185602c3308e6778a67f

SHA256
9792749911089b07b40977bd488247506ad19fca430a83e34431a8dc62bf72d1

SHA512
e16109544befa2982cf3cc5e90239bd28fe4132dc5506a30e8ff5f2db71640e3816b2a3b59f35e2fba7b4458c41e2da7289da690dfa5ea5eec3175bd48a38c96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
0bbd25193cad1a2f6e38a1581d8e2e59

SHA1
a354f59fc57e8f3385f29cc02f424878dd1511cc

SHA256
3f3ee3e18d92ce11e62d69657dff6c37f62cc34f5661bb51a04ee46cd96cc690

SHA512
f0f71ba095c3e329b1bd54f081f8c7242ab4efd1204017fa070919e2aaca16887b702c27a827cb10f8a276ea4e13c1cdb9391df71a60445472575db423e3eeaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\aef5b46c-96da-421a-8069-2ea997c05bea.tmp

Filesize
9KB

MD5
c66c5ad5149dfdbf34a10b86b7570b82

SHA1
9396b49ee4a0329439440da5dbdfa5301892dcb8

SHA256
2961929c930c7168150367b4d1d74e3719e2324c5fe43fae694226e1209cb767

SHA512
a0b97934fb8ccbbc541b8cf0771ff924ea21c4a6bf3d1c216e8596b977f626c6106fb19da118f077918fcd406b5fc8787684a93fbcea31363778f6dbd08e72de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
ccc7b79d5dc55df2ddbb771aff544c16

SHA1
23aa63518d2fbec224bfd72813e6df1b6d70bd62

SHA256
7baff200921a53e47eedc7073a0ab95adf8ba57f30eb19924066d0dfb3b396f2

SHA512
c4e764551309eb641cdbe18c7b0a144981c42ca2cb5d5f775c9a9a58536f7e769ac5324725cbe5d2f9d68206f3323fede7924fa79a3dcd107ef4757b03bec0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
926fbfc8fa8c61c742079f5b165ba2bd

SHA1
4563d336ad29fa859beba910fc478524d2a4bcf9

SHA256
cf465b5314775cb2d6cb362ccba2accc47647b395d4ffd5f02f4574f8dc0f21c

SHA512
2571ef6ab633fcb690eb721b2492a3c7e9de7b25d0ac7c681a12019edad99b6424a448385f05f60eaf8a8a063ad680fd54c6976fe34d1e191ea053ffe8490cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
913cd25b0de81960e841c81a7bee8b19

SHA1
2c4bf2a4de37c06bea3e39898c9a98ee611b5455

SHA256
b01953744098bc035aee2a21976607df9352ca42abc3e01d769e2ceee1c9bd5f

SHA512
e5a879cdd1f83d6b6ee13117924522c967e2413c29722b5507b632514e28a0defbbcc942e7176f819e05df7bef37ca5133ba5efeb67a91c34b3736eec05ac8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de0e1d3019517b3b005d7731bbb8a355

SHA1
ddf1f15c241f72585595cd30de12c4c3ce4e2f97

SHA256
4ceef5b8daa774c456edd70e46668746b8fa086bb9515ed5975e6737e40dc3f0

SHA512
84f7a069fd6f0713fdb9d35f17839b8755671047be477e49102f5777e8ebeeaa6421d3816727dd37f1241f4653c063fb0823ae7bab1d3001635c5075c2ba464d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2b422f7b5a0436bd3a2edf4233f8b7cc

SHA1
fad3c8179f117f94240b78eab4dac78b02eeeb5d

SHA256
ae3e571c77efb0fce4136e6142cf2a4bf1bb8e42cf812b047c2435451a211bea

SHA512
0b8067abe1a861cf94f73296a6c1dca4d30debdb326549c03ff269f65896bbb341f9102358918783e5269df6fe3143aca0dfd70e8179061f93711a8e63e8aff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe57f126.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d78f3d74b185d2c424dad2b61418bd8

SHA1
136c866b9afc266acc9c543dbbf9582533ac2555

SHA256
80798d4d19735a3d552159517e8ae481a2bc6b00a970875185a9ffd3d599023e

SHA512
aedb816d8684571b21790ae62a93bf5488ab735b9f3239b94df1a769fecd38ca6d3f9434015abb9dafd2febb23623294e0a2b42c621632de4ba42fb06e4f172e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c414f32c443d205a75a2ea5fb5cad398

SHA1
1c73eeacf0b7b6ac5e61aeea7a95757c4dc0b418

SHA256
dbc60068dd798b8b9357ebf837dce1fa5b6987e183c5b7647311ded12e51182e

SHA512
bd3db06a0e6237ab86d2ef0ef3a8c29bf9204b4ee12712a6e00dd117de59a85b9dad57ece06a7ac82ebaad3adee88a4cb2c50c51ed0c98193fffb59582671bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
861a6f5132b39229c08a9d1d40b74221

SHA1
a58ed73e501a6fd074f6f62d27e3d9d017f79e98

SHA256
db9897ced9a699b22dd0a8a8110c090d5471866cc637459652f8c8d82e791f97

SHA512
71d04fced94ee09a0e9448a41bf4ef7d9d543a998874aa4a6e5ffb04d555771ff4f78aaf9990f3f11297458aa999be968bf5f95a337e39b5f82b83bc6f17c023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
cc420cc45f686797b102b94f6bfda2ee

SHA1
2b0b5d4848cc346c341cbd51d5fc6ce8a08910e7

SHA256
23f845e57c6718a65f93b97ac9c425d7abaad84f75e77e662c4df298305b9a19

SHA512
2410ec9ef56e8ad547219c4ffde2d02ab4fe8ea668c51f6519e224805770375427a4db95eab5e5f062ebdf36323c5bf03d1633508776fa553da2e8c408846092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
832b664db8c95c83ff39b95fac93bb5b

SHA1
9d244b3081440efd5dcb15c341b2e790e5af359c

SHA256
d1d1d00928970105a43609aa8e2516b41e9473ac285cb591fecaf74b69213487

SHA512
0d46d177ca250277b341f04e3e4565b048069a14993bd1d89d38d03ac8cc4b499dcb2c181bd86f12f903054923a3bb47787d229ee975d900dfd6297db22c246b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
523979c441c8b5c1728d553e43184aee

SHA1
f6657ab964d2788c23f6bd946b7bd4cebcf2131a

SHA256
f78e702d347e16f5aaecea47c07a861b3c1f1f7887acab89d9f1d8798ebe175a

SHA512
34760f8d5a2172d2420a835817bf7a782aed640089111ca092b20123493604f1a2bf97744d6aff00a4da911cb8ecd6a3d41234491493ce7ca1d02aba8cc17b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
587dd5354f73070d2d1c1f8aa9bc2e67

SHA1
ed21b6b7cbec0c6092033583a0081edd43498d07

SHA256
8974cd03b44f58e7533bef46a174b0801592e2e8cd763dc8ee5eabd21d291fa6

SHA512
e19d585e802ee559b9128c0da42f81dd4c287b04242f72e1a22f5edee662bbb9849e678cf2505a400292566193f3c4bd45ca8aa2b8aaf2f2da1095da86d9aade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f2cb2836e24d0aceb851bad403888e75

SHA1
9761bbe719ccfb822eeb61f0a05f6c84f3ea8c1d

SHA256
2c13edf9625495e531cd4def74fec25ffb0c63d01bfbac16c39f564ac3691c1d

SHA512
9b31e68d98a9ef0bb8d251ba4d5adbe371879db133a761a9c1e2e33945af0fbd21912f0dfbbf042698333178450574e4070682832a6df6a26f6020a0018a6341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6f2eddb1e0aa551797623578cd8f136c

SHA1
8d32c5e63e01590930c1b78d202e6be0234627d8

SHA256
0d57bafc963d5967ec8a72ab7bdfe42979a4bf824cc0bd621abfef16c8fdffc6

SHA512
456824085c8ce7bf8e193c90ccb961ed6f9c54d8685ebd05689616f550c55d111a1b8ffb67c6ba666ebf4d70616bcf22b26c297f062f70908bd0e0e2dea10724

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f89a663c3fa62ad693cfff2f47851135

SHA1
77cb7013d287f4a11853643dcb17b4969032ac3e

SHA256
c0529b1fb1352e0454ac97908c906a7f79c80848021c051766c8078e5a3812c2

SHA512
d91b4bb35d8fca9c1d05df0fc09d13cf5a6d96c6035184c99953de970995c60fdcb5dd6b38e9ee0e0202e72847b2c592c324fd9bedf81a2bd3bbdd50a1305160

Download Submit