hxxp://googleads[.]g[.]doubleclick[.]net/aclk?sa=L&ai=CJF0hsbsNVNi_DIPR0AGqhIGYDPfOz9MFj-TFvsMB25uy0esBEAEg4_uTA1DMiaOOBWDN8N-A5ALIAQSpAgbEodTv6J0-qAMBmAQFqgSnAU_QL6NE73jlCJ7TFvA2kg2Ig3wrASDHwt7I6P2gJSz2wmCekvewEDUw1zPqYx0NADEmzairfw3ur1wkNI8P6teiwhlldXdj5OGBN4lmsCEDPv86I5o3eNVngnJfRiuDvxlWje20-VfTVoLEZHjLsyN8zQleVTsGbhHjd1BSHfxBMk8P6-QwvlL67TaFDfOyk-sIZEC0a7hK4DdrheQBo-5kNsgA7ijRoAYEgAfP_b4i&num=1&sig=AOD64_1QMErG-pSUGweRO5zdk0lMn9Ngwg&client=ca-pub-6219811747049371&adurl=https%3A%2F%2Fbaronemperorgt[.]com%2FNew%2FAuth%2Fmhmrhg%2F%2F%2F%2FdGVzdEB0ZXN0LmNvbQ

Analysis

max time kernel
599s
max time network
487s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13/05/2023, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://googleads.g.doubleclick.net/aclk?sa=L&ai=CJF0hsbsNVNi_DIPR0AGqhIGYDPfOz9MFj-TFvsMB25uy0esBEAEg4_uTA1DMiaOOBWDN8N-A5ALIAQSpAgbEodTv6J0-qAMBmAQFqgSnAU_QL6NE73jlCJ7TFvA2kg2Ig3wrASDHwt7I6P2gJSz2wmCekvewEDUw1zPqYx0NADEmzairfw3ur1wkNI8P6teiwhlldXdj5OGBN4lmsCEDPv86I5o3eNVngnJfRiuDvxlWje20-VfTVoLEZHjLsyN8zQleVTsGbhHjd1BSHfxBMk8P6-QwvlL67TaFDfOyk-sIZEC0a7hK4DdrheQBo-5kNsgA7ijRoAYEgAfP_b4i&num=1&sig=AOD64_1QMErG-pSUGweRO5zdk0lMn9Ngwg&client=ca-pub-6219811747049371&adurl=https%3A%2F%2Fbaronemperorgt.com%2FNew%2FAuth%2Fmhmrhg%2F%2F%2F%2FdGVzdEB0ZXN0LmNvbQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133284962174091618"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\chrome.exe	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\chrome.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\chrome.exe\shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\chrome.exe\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\chrome.exe\shell\open\command\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --single-argument %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3816	chrome.exe
3816	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2716	OpenWith.exe
780	OpenWith.exe
780	OpenWith.exe
780	OpenWith.exe
780	OpenWith.exe
780	OpenWith.exe
780	OpenWith.exe
780	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3748	3768	chrome.exe	66
PID 3768 wrote to memory of 3748	3768	chrome.exe	66
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 1812	3768	chrome.exe	69
PID 3768 wrote to memory of 4172	3768	chrome.exe	68
PID 3768 wrote to memory of 4172	3768	chrome.exe	68
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70
PID 3768 wrote to memory of 4124	3768	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://googleads.g.doubleclick.net/aclk?sa=L&ai=CJF0hsbsNVNi_DIPR0AGqhIGYDPfOz9MFj-TFvsMB25uy0esBEAEg4_uTA1DMiaOOBWDN8N-A5ALIAQSpAgbEodTv6J0-qAMBmAQFqgSnAU_QL6NE73jlCJ7TFvA2kg2Ig3wrASDHwt7I6P2gJSz2wmCekvewEDUw1zPqYx0NADEmzairfw3ur1wkNI8P6teiwhlldXdj5OGBN4lmsCEDPv86I5o3eNVngnJfRiuDvxlWje20-VfTVoLEZHjLsyN8zQleVTsGbhHjd1BSHfxBMk8P6-QwvlL67TaFDfOyk-sIZEC0a7hK4DdrheQBo-5kNsgA7ijRoAYEgAfP_b4i&num=1&sig=AOD64_1QMErG-pSUGweRO5zdk0lMn9Ngwg&client=ca-pub-6219811747049371&adurl=https%3A%2F%2Fbaronemperorgt.com%2FNew%2FAuth%2Fmhmrhg%2F%2F%2F%2FdGVzdEB0ZXN0LmNvbQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffab6a79758,0x7ffab6a79768,0x7ffab6a79778
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:2
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1652 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2752 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2772 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5004 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4736 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4988 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4672 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2796 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5620 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5612 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5904 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3228 --field-trial-handle=1740,i,10085606067036457884,9293667619118761423,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument mailto:[email protected]
  2⤵
  PID:3632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffab6a79758,0x7ffab6a79768,0x7ffab6a79778
    3⤵
    PID:3324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7c48dd2f4e33b67ffa3236b9ea4aaff2

SHA1
f66927a44e7de0c0038ce744d1d1d7251742702a

SHA256
b496c6028f1d5fe18f50705c8108ae84820748a3a2286cc9b56d2bb5a38aab02

SHA512
6ccba975ea123b1f59ddda5ec486be685df0ca1def0d34ccd160047a3fc9b126ec58092ed3f98b0cd6cf9df53a95083ddd979ed311d06fcc70eda216501dfa50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7c48dd2f4e33b67ffa3236b9ea4aaff2

SHA1
f66927a44e7de0c0038ce744d1d1d7251742702a

SHA256
b496c6028f1d5fe18f50705c8108ae84820748a3a2286cc9b56d2bb5a38aab02

SHA512
6ccba975ea123b1f59ddda5ec486be685df0ca1def0d34ccd160047a3fc9b126ec58092ed3f98b0cd6cf9df53a95083ddd979ed311d06fcc70eda216501dfa50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7c48dd2f4e33b67ffa3236b9ea4aaff2

SHA1
f66927a44e7de0c0038ce744d1d1d7251742702a

SHA256
b496c6028f1d5fe18f50705c8108ae84820748a3a2286cc9b56d2bb5a38aab02

SHA512
6ccba975ea123b1f59ddda5ec486be685df0ca1def0d34ccd160047a3fc9b126ec58092ed3f98b0cd6cf9df53a95083ddd979ed311d06fcc70eda216501dfa50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
29e8122cf0bba2f14a01ab00c5bfc1c7

SHA1
5fde5784521975241bfda83788adb9a7b9fc75cf

SHA256
0091f3ee958a5a6a6c0ec76ebfea3d1497c1bb53fdfe9383b8c2258f8dcc943a

SHA512
57c990f1cbcc099b33f38e0516c2c7320da75cdd1a9624194ac3b4101c3eae3721e3b9d51dfafd97c7fda81c4538675a1954fad6a2c66d44b1617846260f8fa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7be77bf79f5967c94e4277186bbf9199

SHA1
6948c166f9448bc3b84edebf0678d6f30d8db1ab

SHA256
e769625b5a0215047eb2a2da16eca060b57771b33c4ec7715f55a03c01e96fb7

SHA512
bf3f124b1d198586d3dacd45efab99963d71be5e75bb737ea748bc0fcdd48b8a7bbaae1299d3975464cc40d1e9b563a3afc3af9dd84b0a1e613c8b05c7b34e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2798930a2bcc4c741213758468e38dbb

SHA1
aea6f20153e328be6a7393de2a417813e60ccfe9

SHA256
11712c73e7a975540164bfe1b4f19d92089dc9b948a2de522283dc55468e7f22

SHA512
03e6afd64d86e7217ca09f48173fa8664827cfc95bfcec291f25dc9a6c48d7c8e9275250b4efc783432cc725582094a3466c6de993ce8b42153ac05a5c382778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
e048d2f5d6d20fa4f7f13ba64fe2f8e0

SHA1
d5dc65c3d368ee5ab8e57887b51d8f04258b801e

SHA256
e459272e5c83c5fecbcd2a6899a99d3713bfa2724afe66e58c2245d6de3076e5

SHA512
81e4fb278702177a104aec2eb8a18d9fb86954d06c0630f356fa19d7e1938683f5cbeb253348a67ae36fd900164b323f5e5a5614183a5120bc2a14684364ba5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4d99435d8774d2ca43395250e58f0af4

SHA1
a4af9b78b7dccf9ce4b437108562c63a9b72a8d8

SHA256
6f3f64354f34f4c043c0f7625bea501e1f5d7b66203e30f9586ba11507ecd390

SHA512
5ed98bec407f46b0b0111d7fa6ebec10cea0f09a87874a16dfccc2421799a8d4c0fa1c7ab3b162dea220f7db5a379d0fed497d97c9c7b5e403b6ecdb2eff5e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e115141f4e9e013e387415834a44806c

SHA1
9f2e1b0ea037ac54a7cfc50d7391c208d5c74bc4

SHA256
1cca596129bd2a1d8130585552f319584da3920cd21ba12db1c2968213661606

SHA512
2495f8b14701e06970407dcf9731dcb354bf38caa5ac45affe8c9639fab227cde6a5aa4ed59cd6fd65ffeecfa62aa91c9c73a2fe01f435e854e43773ecc40025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8e2b1abc55ecfeb4736fde9a8961df28

SHA1
d5c2a2061a492a8d74bd8759f817793ae0defce0

SHA256
d288660bff32a966d2834e35ac29cfdeb17d6bb9b0516144a69812700c291b01

SHA512
760f78e908c00e2d21e4858d617a3e4837ed851973817fc91720052947569638fb30aa10f0063a07dc0e6f2a18e4a5cb5b26357c794a2cb675c1deb9efd39728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
70d273888267567f05b5db1db0e899f3

SHA1
09ed53a703b27e6da92fa5baad78ee5180f0f935

SHA256
d4b8316244e7c44923adf51f099cf1b3a4bf13e45b3d7eef327d195ef6d7fafc

SHA512
40902c20876441bf8ecc88839ad4d766df96a40fe7a2935e19bf005fcff53afa8e3389bb5c07009c2a72740ddad056bbeee91e041a93dfb5dc3e5c9339acaf7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
ddbb19bcc6dc5e3b833a89c3f796bdea

SHA1
7539596df56503401251afca621a012cb4ade55f

SHA256
ac3c3b3ffac6495f48f0dda22f589174d46a6411c22bea01763c001824a90377

SHA512
16fce7df3863e953c0f6711d835bd3ccc696c896da0bde970143e00b553567baad2448cdbc49fa302d8b553ef94bf7910987af2a1f5bef0138707144cd203ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
17f0630547297c977780d41af57b4c72

SHA1
8c4084c8b1752174706fe84e6770b1e69bd7e9f1

SHA256
c54d7c906390ef10c1cb787f558ec416b59eebc24f275885658dc0c0b90037a6

SHA512
f0a936efaa7c660f878c6179fecc2c94ed7ac51dd6847e85a162ed97967f54c28a3d6aeccb3d7fcf9b9a4fe965c9fc0c3922a12ffa3becbfdd6cb97171e92a80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
eb178ecd0fe7f435ddead8d03e439f8d

SHA1
3dfcdb8636ba4f3539b040c796834b3910fde0f1

SHA256
cf0aa6f8f51365f137ca257a2ad8aa281323a16ea35ee509961e8b64ed436326

SHA512
90a22ab09f1e196df644051ca4c23418b83dec9e367a9a186db5fc2a66882f59a85896f3a45e28db87b17fd8e44ebaa7da7e84ba2415252bfa505231a60154b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
567f8d805debf5996b6ba8e90d647035

SHA1
b7f01b6a1e57b1d09a031b064b06ddf9c7e177dc

SHA256
47b632295d5860db742ef2fc7e1fe55066a7b410358a7281720efa87203fb0e4

SHA512
027addeeaea976d923c8429675df90872be25a4cb912c40aeb7a3cfc7a9b66a785c7cdaad842c95430fba5a303dc61b92c54bda3ba2df6f861f9d6537eb4a226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe56d44c.TMP

Filesize
98KB

MD5
1b7d9a917f8338131de7028b97d83f63

SHA1
8515454eae088aeade16da849af9e15839aec761

SHA256
1ff909cc78237ae8b08bbc9066e13a2f261d06a1eb806e7a7472b7d9fc1f51c8

SHA512
f50b0ec981b06ca09ffbc0f5e4f349f8c8814a187c6547346801db6042ab84f68e6f5d7a5d241c7a34e1b06682a7eb25634c3d8713b93ceff3e2349c7f26340e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit