hxxps://mandrillapp[.]com/track/click/30786787/www[.]id90travel[.]com?p=eyJzIjoiMElrOTNza3I1RFRTUnRUcTQtR1ZHSU5HbDRzIiwidiI6MSwicCI6IntcInVcIjozMDc4Njc4NyxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvd3d3LmlkOTB0cmF2ZWwuY29tXCIsXCJpZFwiOlwiYjQyZTlkOGQ1NzdiNGRjM2E0MTUyOGMzMDc3NDE4ZTRcIixcInVybF9pZHNcIjpbXCIwNTEyZTMwYTRhOWQyYzA3NTU2ZTA0YjI4YWJkMjRmYmM1ODVkMjE3XCJdfSJ9

Analysis

max time kernel
570s
max time network
567s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 23:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mandrillapp.com/track/click/30786787/www.id90travel.com?p=eyJzIjoiMElrOTNza3I1RFRTUnRUcTQtR1ZHSU5HbDRzIiwidiI6MSwicCI6IntcInVcIjozMDc4Njc4NyxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvd3d3LmlkOTB0cmF2ZWwuY29tXCIsXCJpZFwiOlwiYjQyZTlkOGQ1NzdiNGRjM2E0MTUyOGMzMDc3NDE4ZTRcIixcInVybF9pZHNcIjpbXCIwNTEyZTMwYTRhOWQyYzA3NTU2ZTA0YjI4YWJkMjRmYmM1ODVkMjE3XCJdfSJ9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133224495193451357"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3728	chrome.exe
3728	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe
Token: SeShutdownPrivilege	3728	chrome.exe
Token: SeCreatePagefilePrivilege	3728	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe
3728	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 5032	3728	chrome.exe	84
PID 3728 wrote to memory of 5032	3728	chrome.exe	84
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 3380	3728	chrome.exe	85
PID 3728 wrote to memory of 640	3728	chrome.exe	86
PID 3728 wrote to memory of 640	3728	chrome.exe	86
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87
PID 3728 wrote to memory of 4548	3728	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://mandrillapp.com/track/click/30786787/www.id90travel.com?p=eyJzIjoiMElrOTNza3I1RFRTUnRUcTQtR1ZHSU5HbDRzIiwidiI6MSwicCI6IntcInVcIjozMDc4Njc4NyxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvd3d3LmlkOTB0cmF2ZWwuY29tXCIsXCJpZFwiOlwiYjQyZTlkOGQ1NzdiNGRjM2E0MTUyOGMzMDc3NDE4ZTRcIixcInVybF9pZHNcIjpbXCIwNTEyZTMwYTRhOWQyYzA3NTU2ZTA0YjI4YWJkMjRmYmM1ODVkMjE3XCJdfSJ9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf8619758,0x7ffdf8619768,0x7ffdf8619778
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:2
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4848 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3464 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5436 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5588 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5820 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5668 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5904 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5876 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2820 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4620 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6052 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5748 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6332 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5016 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4568 --field-trial-handle=1812,i,8162119701034224948,628517361173278119,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003b

Filesize
37KB

MD5
d90cb261f4a509d886611473296e188e

SHA1
23551f9039c8b855b496f017c8f75b32f6e56671

SHA256
ca6c7cdd1e68e9f251fbf58e0b0ad9e883b38979e264c3cf4125f603b21c8bb4

SHA512
1cca6c9490c8f7adca7441ffea3e7445309d0c52fbaf7252e4c3c73525e00233a8173536c031747a55343bb86e96618d9c96afc6e4f8d25b0106729cca5c8031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
866c0b48c360a330e6ba5afa680d1ccd

SHA1
caff3300cbb3ee3f19fe46e0353daa52671f98f0

SHA256
a95319e3a67f65e2f59b805f14005a1d8e09a8c4ac5d2e87c3113c1a449cb2d2

SHA512
3535183f54a4c9a204f711582e8b3186342010c32c5ef7d83151cba25ca5bb1df3c7a4e1df9bfcff7c0141bf01bdb7ba82fa9f322bc296eabcbae3a4e327d3e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
abf0ddfbba202e43288ec59c062dfc9f

SHA1
4043b5461ce474936fe7d56ab1fd7a2f34028430

SHA256
7b0206b3664bb8d564fd69405d894e039ac72df5d24f1fcae874f0f4c01c35cf

SHA512
ea3700d38d2bc2216a7134e113fc6e341d797c5c16ed1242db1272c2956cddae702413a322fa83972529100642740a09892879888bc006b199ba330ff59e434a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
5a6b0e4a6b1e1ecdc44f7c26624239da

SHA1
82c4f71a3482b901203727c192a7b9f150a91057

SHA256
0aa066eb510c753dbb6d934d753543ddb81c165e88cdc921bd2508706295665b

SHA512
342bd76023c9922a37a3df7f5143b29b2e211a065e200e7309b11884f2b619823c183a00d9d1ea4c9407bd2fe8e839950f93731a14411e0464eafac960a6e4b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5957cec3996f9bf77bb764693ac9f8bf

SHA1
b82955c28c23351bc75df404997297c933069a65

SHA256
6786719e806b9a820f27bd2c28ada198930c32559fedbecf56a1f022787c0a4f

SHA512
3c7257468d727d9bdbba9208952290936ef948a5c4a55c08f21444f4ddbc3097f37457e0c9a35ffba90053f7c6708f6f16d2cc03d66339106e2133fe9c05ef93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c3bf14bff8d96c0326e0c172fd2a58cc

SHA1
df465e0d4dbbb66b2f0663d4690f0bea4a52fc35

SHA256
9fc081cd861ffd023383d307ff5e924e982c0f3d80e9276ff557f2788048f2f8

SHA512
a403bc6200a0650a69ff2cd9152840a1da035333f5999068eba5ace3de8035f95c0ec0e23d4b22011c22f3a8ba9102cf3880a0d6f387c7cb9ee4d9b92f8ad9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
22b24e9aa77637eafd1a1a81ac80aec5

SHA1
27c31022e0d6aa0087cb14cc741a0e74033d5473

SHA256
38979b4b45385145791f72b6aeeca2919f10effc7593e597d36a4db026b0e7a6

SHA512
52de253b33b9c180fba72d55f9c23f63accba214aaf96cdf28763f0742dda20ba79912e043d29bd34baa46436f6bda1e1f57f22fb05a7f18ce879b2136d30b0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8abfbf071aa73f750823f6763dd60976

SHA1
ec95f771913a54cfc97f1b9b2b5f730e1219ad79

SHA256
769224f75e39089d5a1da850d156a51e6871e0a18970314ba8ddced679ba36a8

SHA512
0548d7c6527060d6922a2fc393699e6f802063863836d7dd92973d6cc7c701271aedfea811521863bd384182276096d3482aa5e49afa1f87038e0e67169da5b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ffef26ad66a78143f37d6a2a53ed3460

SHA1
f9ea6b7381433cb01072ffefdf7899ed138a1368

SHA256
73bbd74772172640c3759a0ae7b9dc28c95546374ef31b0d8544b5879af8c8bd

SHA512
6318a640ff5b073c30a72d2355ca22aed6e19fec0e9e1bd2f1e927fc0f466c98cc05e3fe5e1a81f7c942f3205841178a24e58134ad828d8f096c885b5fb19a30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c038ff71d571d67fdd2c73464a5b1cf5

SHA1
c1472d75ea5f20d6069902c44ecff37eebd92f1f

SHA256
88014f963a02e0fd15c5fe0ed7b9fa438ff818ed7481cdf6a85789cf09a134f3

SHA512
fdb8cfefe4bd0f9a83a6be4521756f6785aa6dd69904214c7e14a85aed71e36b39d567e7a8540f2ca1292990c5cd0ddad0b94644bc4123bb1aaa706a68b9555e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
aaebd80fd0dddd591d003d78765e8404

SHA1
c12d26e4990e36d65dd3855870a64c4efa06078d

SHA256
9ae3660c7029750a17da97df0570e1ce9cbbc7dfbe870cd1411b9a9ec253e4b1

SHA512
64166c477d8f91504ee533099459ea6298d2ee6e8cb255981b532bdd0ba1c418687c51d423afe4113847621eb911a098e847b60c44a7985e5ecdbb2b57852f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e143a36a58419364b00ff7f1c594f07a

SHA1
5fec6f8426895fe5534ea23d71dcb3cb5e7498a4

SHA256
96ada62a627e2eedb05a24848ddd8fe5f91d69dce0a8d269ee1931b5cb830351

SHA512
f52a437e97bbb80d01646d46c7d8ac2fc06fea27106e03eca59c8b097217dc15f2bbd51f2634a0665870784b305605fbb14cbda0971209dffb648a9e4297aa4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ad8aaa7e7fd0db3cf43993ed53196403

SHA1
5fc0b19bd1d21275e253f133b12e875e1d27f3c4

SHA256
59d357c95a83abe9998f44ae8d71d2d54103e6505a81921e151cae56e99e7ecb

SHA512
766f01461315e4fc2f518aa90ad0659fab4be2b467de2b0bdc4f2160eeb751ffff34b8c8c3a00096850bfbfcda33100aba106554859d40e55483ccbf43b6c9fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3fc2b638a5b2988e4707cf7f6032f2cc

SHA1
3e4cbfcaaebd7421d2bb6981a7575494fac3e9ac

SHA256
e86443fc678b8090ce6104e2fc1058c97f14cd2ade36be52afdcd136e82cd74c

SHA512
bd30a2148f58e91f57195e894066fbc8dd843fc6d50bc6f93b766f8b6b2d8756170b95a973ef7f87b0581a55c06e22ec9b43660062166b8318675b25dd54b436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5768fb.TMP

Filesize
48B

MD5
4b15a176a928dcaa9ccd4df1c422f3df

SHA1
08081fffbc16c974cb2a7bd9cffbb27b7f9bcfe3

SHA256
1553536aac46a8725aa77ced4786896f2b751c289cf1a5204f938a65d4c54558

SHA512
2715a20f3a3366c6d463a3bcb4fd9008cfe965b93e5e2e683078bfc67c391113f56cb8ba931be359ed5cc8d4cee71c66d6366c3f1cff11f8f7c1e28c6c75f98a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
f28f3422c374c8f071d1cf2acac1a495

SHA1
6f6ca9b4598f87dc3a34de53e0ccabe5a2cd66f5

SHA256
280a71173390e87175a7e1a5d4face99fb7a2a27cebeca69fa7a1decb99b1a1f

SHA512
fd3a05525f60788c3261349fadc0216b7194e5b29ef5651ad06b15afe6366e078ad3949f6d8e371ad7b85a4c351afeb15d23f1603927bcff62844a48576f966d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
df77c198fddfe3eac2f1d04922af8d92

SHA1
284c6e45fc729f6cb933f44d000c013088b1ac27

SHA256
f2f1ff6cfc67842f5be8346e761d34445ad5495e1a848111945cab584833b3a0

SHA512
8d69c0a1afa5f2eee49ceede455d5b16629fd9cb6ae156c3e5e19ab1d0cc77a9a6b090da68c7310f90523c73fda79dfee25273350f1ba3d7645347f590131a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
671b1196c031251bf4e2320609d8449f

SHA1
eba7ff6c6168b8e81bc2b6a77df512bb298a77ec

SHA256
0abdef0dbe9555f4d718836f7381605161c3be9e065d67ba38d796f2078027b4

SHA512
fbe6ef0fc364dcb0f73e34406c3823430208e178c6f18aa14f2bdeb32a6b1bdc01be138d21e98c3f846ce32fd7fe3634bf8a2e221fd73109ab407a3d45d8f6e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
c44f673a4989c07f1404727791e077ae

SHA1
af1a82776cda994007c905f9b4f86566143fa66d

SHA256
bf15966533954611d455bd6590fcceae4a55d3e6a9c11b17b88099ba07645555

SHA512
314899680a0e6f7063bf976a2501f14852c768126764c51020969ebd9b2eacbf84cc85e776001afcc6dda2306ee174808b24568d82ef323ba154d8078d69465b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe575004.TMP

Filesize
100KB

MD5
4a8b5e501d5300e19d1d7424f8e269cd

SHA1
ad62797240c9b517d083c8d16ce09f472ef3df13

SHA256
a1c44cbcb22914c66e78ad850aeaadb6023909a796115a95ccce32cf4eb058fd

SHA512
903e7a29e4011867ea7886ae2dd583cee89866655e613b985caa60814ccc6c828eb87f66f5e66b355679e678c29168c1b04c26fa8645495384c5e86476749dae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1108-646-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-641-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-644-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-645-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-642-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-643-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-640-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-634-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-635-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1108-636-0x0000016B81310000-0x0000016B81311000-memory.dmp

Filesize
4KB

Download
memory/1584-376-0x0000019F19170000-0x0000019F19171000-memory.dmp

Filesize
4KB

Download
memory/1824-301-0x00000209F0B90000-0x00000209F0B91000-memory.dmp

Filesize
4KB

Download
memory/3312-155-0x000002D14C520000-0x000002D14C521000-memory.dmp

Filesize
4KB

Download
memory/3312-156-0x00007FFE152F0000-0x00007FFE152F1000-memory.dmp

Filesize
4KB

Download
memory/3380-136-0x00007FFE135C0000-0x00007FFE135C1000-memory.dmp

Filesize
4KB

Download
memory/3548-502-0x000001AA95180000-0x000001AA95181000-memory.dmp

Filesize
4KB

Download
memory/4816-504-0x000001908C9F0000-0x000001908C9F1000-memory.dmp

Filesize
4KB

Download
memory/4828-302-0x0000014A1F6F0000-0x0000014A1F6F1000-memory.dmp

Filesize
4KB

Download