hxxps://exi[.]link/EvuqQq

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://exi.link/EvuqQq

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msedge.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645705964342597"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{54565A1F-31AE-4871-AF99-1E1D39082516}	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exemsedge.exe

pid process

908 chrome.exe
908 chrome.exe
2644 msedge.exe
2644 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

908 chrome.exe
908 chrome.exe
908 chrome.exe
908 chrome.exe
908 chrome.exe
908 chrome.exe
908 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2644 wrote to memory of 2316	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2316	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 2352	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 3624	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 3624	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe
PID 2644 wrote to memory of 4056	2644	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://exi.link/EvuqQq
1⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4428,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:1
1⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3852,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:1
1⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5264,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:1
1⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5328,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8
1⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5468,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
1⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5924,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:1
1⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5932,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:1
1⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6132,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:1
1⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6136,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:1
1⤵
PID:912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6508,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:1
1⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6248,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:1
1⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6272,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:1
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffaf331ceb8,0x7ffaf331cec4,0x7ffaf331ced0
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2240,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
2⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=3296 /prefetch:3
2⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2132,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:8
2⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=560,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:8
2⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4112,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,15857890932253985134,18379243263872416307,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8
2⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffafd0cab58,0x7ffafd0cab68,0x7ffafd0cab78
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:2
2⤵
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:8
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:1
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3644 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:1
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:8
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:8
2⤵
PID:5316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:8
2⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4252 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:1
2⤵
PID:5900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4156 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:1
2⤵
PID:5980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3648 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:1
2⤵
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4424 --field-trial-handle=1924,i,5681300719238689556,4324886128015631862,131072 /prefetch:1
2⤵
PID:5720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7c6690de-99c5-43de-952b-d194f473f42b.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
264e92384e2dc8711c39b8fa88b9ea8f

SHA1
ab9c821176b6062eba3e9588db18245ef56dd5b1

SHA256
8accfaaaa719c7360e50ce41b331842f2383cc57d7c706f191f39e21d20d0b1a

SHA512
8e680cff063c9c956ecb183ea3b76c866c845579ddfa98dfb6a6432b4f654c69dcc38d3d63a17bdc577740e1b50cc2c95a3505f3aac79d100f784888eb17143c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
1c83f216115f56fedd2e3ea11a6fef0d

SHA1
884d638211638516cd0ad679a60e23dd51faad6d

SHA256
67f8a3fb5799248d5b94127156183afba285f1f19276810c53db7e3dea55236f

SHA512
946d68a8686e15202a4967fbe4692faa563c33260bed409940e49df4b7dd21890823c53e4ec94252410998942494830f95cfc1735f40990e1610e8ab62829c8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
159a270bfed3f9ad7b8c7b1d83220fbe

SHA1
98bdda5643f640d5063b92868afe0c5650e1c242

SHA256
7d2547e95ce0648706b9deed0a078ee3d700ec059b570aea061f2a0ca80f9f16

SHA512
f3b9efa1b0903a6c3d715270bab35dfed310980ceeea26f1495da33598f93a49e38aed67308514187905677ad1371aa82fae44170550c176ea5bd4fb4c81170f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5079472b95e3f82c90c7c5f33a7f1161

SHA1
d37d8b425705690f5e1b27fb69c79500c45488fd

SHA256
4f919b152b4dcb51d20337dc2082ce83dfacba49141c4b4b010f6294a361a4f3

SHA512
27522c90a9b89226a8037351d06068cb7ef94925af220f3079426415ae5100dc9694963963b1c2bbd1c5c0283bb12148cae2dae429a78cb66b1b98ed3ce8a603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
9b1fb951021b455111d2864398724d08

SHA1
2c80b42266ff520e69cf6b18d07a0ea5bb660894

SHA256
ed8261649a1fbc064d3f988b36142f239fffd166e7c6e22a02d2e1c750146370

SHA512
e64ed6079dc8e60d073a4e2e0c8736e6569667087ffae019823741d26ab5af494e919a84e14b6d0f4a9ceb0065d99204e91ae6d74f67a52923ade031c1ac3ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
270KB

MD5
6a261c4566c5445a9319e064e55cf2e4

SHA1
d80d5768cfef91f285f77cba236e20fbbdd99bf1

SHA256
06e35f1f5b4bf477c162ade3503667b6732707e8be906b5ff6b3d8696a341bfb

SHA512
c7a819707be615f9ed2d7028413d9ed0a1f453395079962e7e4b3b5c56db63c989d67ca906cbdd46c94f50ac647cb930ef3695138f913635e5d02ddc8522e82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
5f8c6574f091407b3f3a67d6971a87e6

SHA1
2f6cba390ad16df60daaa9c328f63c95393e3630

SHA256
2418cfda1321abc2bc093b966f681b9052bf13448551f7d0b4acc6398cef16c2

SHA512
18f0c36861e2bfcf20aeb8a2c70aa4ea71f4fc7396c87f3eb7be6740c4f9f301b5991f095534279a3a08a9d277dae6c8b89aae00fc1cf712fb4ff18edecdd2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
17cc3457b6ae0cbcbc8ed8428ee5e8dd

SHA1
d9c62410fe31cca95b474cea87a89a33d7bdfca6

SHA256
f36482688b95860b55c4dafaab15a619165d97934126db32c603b84955b22ce2

SHA512
57772437997ca73fd56c81f0b73cbcc16d15d299ca54af5d4693ed8bdb9a7e51ba2d3351a3ff1ec6e8cd689303bcf2436881b8c7dd45b47fd66348983f0e3c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
e111020e9d0ffaa16c3a3424daa17930

SHA1
0bdb4259822566816b3a966b9b6861a5de0a8626

SHA256
2234f3c08dbbc5d382810080385c4df5f8ba6da8fff5f66c7bd49cd535d69d15

SHA512
89f8a0501899e83b074ff335f3975616e1d67aef34ad64a9af8a5ab448b5d2b77617246933257d4b607efae1eb2c9bb72c83ab47572f3f22ae9431be19a87f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
69KB

MD5
7807478b9b9029b3f55855d72cbc0d4e

SHA1
c089168f7f863d5cba8bf09cf6ab44131ac02659

SHA256
890255c18132529a865f2fa4acd70d08c1cc9a9ff96eaa9ab715105c7d975570

SHA512
1fc4766617a046fe21550412246d88b4f78694243d5fd55bea7f047f6ab8f7b5f3fbb47a13d63f76fd9080676f5ce66dbced1b8dc466370712fc7156f8152bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
69KB

MD5
4a8a23d2cfe7645eb20ef7ff676cf71c

SHA1
b5e0feaf0d40c1607f3b310dee135481344d6a72

SHA256
1eaf0b0eafd9052c0992f2a11d1b7fd59b66f59a0141d0c6af955efad9f5acbd

SHA512
f0edf33410ee61e8cc944468b80791ac253d5d2af63c8dfb327d9c50fc788ac21aa3947bec2de50d6d038fb84c2c82636bb3930cf628ee227431a6fd97bb0861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize
2KB

MD5
a346f9863fdc77aaa392e7ecfef4d726

SHA1
7d1e3d3a955bcdf66dc2e69f09d04d0e56960160

SHA256
a47b860af127a319fdb4d2f60d5825d27ff858ce022430b1ec66c14b7fd40849

SHA512
915d54ec26f8a818a552dd2af69914f773b40e3a81d645dab4e226e298a5436819795f7fe8728d08be30b61f46c64f6ee9c18c1b964c8023d1951b77d340f9ae

Download Submit
\??\pipe\crashpad_2644_ODXCCFRHTPFEURQK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit