hxxps://awpi-01[.]mwoengwage[.]com/v1/emailclick?ewm=joaquim[.]brites%40sma-europe[.]eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00[.]5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02[.]859891_L_0ecli27&rlink=hxxp://ykw[.]sdq[.]stwpbogor[.]ac[.]id[.]/?QQQ#[.]ZXR0b3JlLmd1ZXJlbGxvQG5vLmFiYi5jb20=

General

Target

https://awpi-01.mwoengwage.com/v1/emailclick?ewm=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00.5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=http://ykw.sdq.stwpbogor.ac.id./?QQQ#.ZXR0b3JlLmd1ZXJlbGxvQG5vLmFiYi5jb20=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133236176875898841"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3024 chrome.exe
3024 chrome.exe
1552 chrome.exe
1552 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3024 chrome.exe
3024 chrome.exe
3024 chrome.exe
3024 chrome.exe
3024 chrome.exe
3024 chrome.exe
3024 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3024 wrote to memory of 1056	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1056	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4708	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 3788	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 3788	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 1352	3024	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://awpi-01.mwoengwage.com/v1/emailclick?ewm=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00.5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=http://ykw.sdq.stwpbogor.ac.id./?QQQ#.ZXR0b3JlLmd1ZXJlbGxvQG5vLmFiYi5jb20=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa52649758,0x7ffa52649768,0x7ffa52649778
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:2
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:8
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:1
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:1
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4468 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4660 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:8
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:8
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5004 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:1
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2456 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:1
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=212 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:1
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4756 --field-trial-handle=1840,i,15679003213174857678,6810036518306061356,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d38cb101a557e32ecabba57d1f29ea32

SHA1
80df583ee1a5cb0cd1578470875ca2cfb52be602

SHA256
0405c5324d4385201d6abb761c3125d9f79135967fc19a496db709d2d448a7d8

SHA512
393a4258f160d7ab97f513eb7c00bfd5ae8889cfabe26424551067d90dd955af0fb346f6d3fb12b77fb2d9c3b486ee1822f5c00c81965c15671822b4aa51f86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
898811ce6e31db4d5184a625831f7250

SHA1
1e1210c024baa9d59489120ccee9c5731354e559

SHA256
72638b470968a7aab7e83abe200a89a7f06bd3e11542c3bb0f46f6887156a631

SHA512
ec74c4bee3d48747a49f94c5be2a2676a1734c5fc6fa56f57068ce14f544221ccdd461c09efcf2d85317ff506770438a7947a1bb9a4e06482241176333d2cf44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c8a32eb2d31b4871d87cfd39874f0c10

SHA1
66737d8e721a92625d7bda8523d6af84f471c45c

SHA256
944b92da10c3161bb709b9e0d7eeb44637dcf3c23ca8c01dc14cea162bafd6ee

SHA512
8ace4c5846c330c11038dcfcd613b243ba2288caff4f361746497a835289bbef2e7e9ceeb1dad3af3053e12318afd7d87b2114a5808425df76b4a46cece69e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e271e4e34330bc2091a15b8dbe777ea5

SHA1
1cd8fee36303d3e382ecfb291c307446d9d32e8e

SHA256
12c7ffb94518219126a302ea82d988c1ebedb50f761898fd5ff2a2397d5d75b2

SHA512
6da61503e7c8206e8918d1be9d2a94a0218cf9d709c3b10b131e809ebb4d2755678f74caafaff46cd88405faf9e3b7202ba0ebf62876fa429c19d98ce130102d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
a5261c87c0a7b71ab2b021d389b5d788

SHA1
4760a490c12711dc5898afd40e193e0c3b85bda3

SHA256
bf1aab419fcff350bf7aa11c8c6a4b88c3a3bcd7e0ce99c3830a1b432e6567e5

SHA512
fc4a7f209b40a4c00bc416d83cf78cb7d3caf274818098f2f0e1425e49d431ba1089f243ae0708a3ad919044d345c16191d25bf7cfc4b26a6df5a6058b14515c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads