hxxps://18M23[.]trk[.]elasticemail[.]com/tracking/click?d=9Ogug78yi3qyC5z9FUxKD0ZWWzM53BMIVhiHiQRHaPuoEng3kP0AZiHpOrnVW_n124jlvlMOtNX1_2Qu3mX3ha64LvEMDHOCb160ZCD0ea5urwR38jG-eAXUuclWDgQIE7I69neQ9KgxYfHiJPbpJm5bwp2aNWocDkeccApmCaN3K3qN5WMvpDKKovrslf8Vh2mXYDGB9Q-huGtdPacn1Zu6ugnTx4QrlY8025GwWOJkqfDZvqWmDEkxKLvJskDZy7AP2j9mpX3rzXPkp2vqvpyDkP1L2rq037XECseZoDONB91m5aymsbMWacIMKHuKQHr6mzczLDZUfZuJPNGW-GJLfTVb1Td0TbYRP1oJ06lY0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2023, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://18M23.trk.elasticemail.com/tracking/click?d=9Ogug78yi3qyC5z9FUxKD0ZWWzM53BMIVhiHiQRHaPuoEng3kP0AZiHpOrnVW_n124jlvlMOtNX1_2Qu3mX3ha64LvEMDHOCb160ZCD0ea5urwR38jG-eAXUuclWDgQIE7I69neQ9KgxYfHiJPbpJm5bwp2aNWocDkeccApmCaN3K3qN5WMvpDKKovrslf8Vh2mXYDGB9Q-huGtdPacn1Zu6ugnTx4QrlY8025GwWOJkqfDZvqWmDEkxKLvJskDZy7AP2j9mpX3rzXPkp2vqvpyDkP1L2rq037XECseZoDONB91m5aymsbMWacIMKHuKQHr6mzczLDZUfZuJPNGW-GJLfTVb1Td0TbYRP1oJ06lY0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133289789096188312"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4508	chrome.exe
4508	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe
Token: SeShutdownPrivilege	4508	chrome.exe
Token: SeCreatePagefilePrivilege	4508	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe
4508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3260	4508	chrome.exe	81
PID 4508 wrote to memory of 3260	4508	chrome.exe	81
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 4844	4508	chrome.exe	84
PID 4508 wrote to memory of 2308	4508	chrome.exe	85
PID 4508 wrote to memory of 2308	4508	chrome.exe	85
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86
PID 4508 wrote to memory of 2768	4508	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://18M23.trk.elasticemail.com/tracking/click?d=9Ogug78yi3qyC5z9FUxKD0ZWWzM53BMIVhiHiQRHaPuoEng3kP0AZiHpOrnVW_n124jlvlMOtNX1_2Qu3mX3ha64LvEMDHOCb160ZCD0ea5urwR38jG-eAXUuclWDgQIE7I69neQ9KgxYfHiJPbpJm5bwp2aNWocDkeccApmCaN3K3qN5WMvpDKKovrslf8Vh2mXYDGB9Q-huGtdPacn1Zu6ugnTx4QrlY8025GwWOJkqfDZvqWmDEkxKLvJskDZy7AP2j9mpX3rzXPkp2vqvpyDkP1L2rq037XECseZoDONB91m5aymsbMWacIMKHuKQHr6mzczLDZUfZuJPNGW-GJLfTVb1Td0TbYRP1oJ06lY0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ca619758,0x7ff9ca619768,0x7ff9ca619778
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:2
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4908 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3364 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4672 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4472 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5288 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5584 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5628 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5404 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1816,i,10017098003292574778,1838256260456143157,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
162KB

MD5
08f3851748975142ef7c08a8ea1ce61d

SHA1
31ffb52b4d2e4263a2b5a19195ee1784bc884a15

SHA256
e374d418c7975a482356a79e25f0722ab71616be443cb19d96ef88706937bf30

SHA512
d4b86e69582cf1bc33991cd44eb1db26eff3013dcc7ed34d8b7d890be510ef3949a50332e732c22182a8fcbba418c6ba18aa031a6f0b5b621ea2211e665af3f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
13bb64d89cdb8b8a520f8e40b345dbec

SHA1
29a90fa4cf2a721354b41b313c551dfe075bf32c

SHA256
0f483f07c1e0d9c8ffe3c5c141a331aa12367217684c6613944f74f364db253f

SHA512
c04dea95879181a8427a6e30a75eefb3b0a918cefe474b890921e6763b90d92ed58a984985a1ff57be2a7fef89b24d868d728bf5b031acf72fe3433ea6fcca81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
26b19b0b7dcbf5ad2b31c02be59fe2fd

SHA1
3942f6cb93cd1f405177c9f2be610b00388fede2

SHA256
e5a8743da3e337e43476fa34c0f20d9e314019e86c50b0f11b5a820decb39d43

SHA512
bc5e5acdf4cc472f6872e70a3d89c894532db5508ed19dbb84b5a98aaab6d21aded1251a0a986fce6666ebaef2fad44ade51356d9e6fc5e38af77303118828e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
1fecb4cf82d9d9a47e7e6e098d4591c1

SHA1
1a6b361c3ff4d1e36e62d3f968ef771f0a5a9fee

SHA256
6746788d2b5902ed921bd46fba55e98ba2aa62f01adbc61292bc765518b477a5

SHA512
dd80ece7425a57320c7e166872424d8e930ad9d1887e9b6a805ee74df89e294ab2aec476fe0011b9ebd326bd60c52b060f02eb4cdfad8e513031e1d1f297a299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
210b448b1642cb5a18ec463d1553b78f

SHA1
b079e8950aed38d5839da582b6b8909a2e444263

SHA256
51f61e338c2afcfd68b8506f1947a2a4f9a22a059bfc6300b62cd27bcdc83fc3

SHA512
e028fafb8b565516f95aeb7b4c87bf9cf46864df4342fc2649a78699ccf7e058d9b162abbf79d55fa0a020641a96e98d08c60f5818fac6b0cf2af7dc5cf3be45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b69726cfbae3dc1def6867796b2619eb

SHA1
79ec334763a83dc89b798e553611e058b1f2b317

SHA256
be26c87325d03313466de3fd8d44bbe5c4d6b76c985f66aae815eb1f26cea5a7

SHA512
6dba59546f153ab299f42b428806ce4fa320a3208e8e9899d1dd6bd362059512b910ca983e2def2655761ebfabd16b54fbf3aa8934608960c576545ed01a3dbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d860e799e07f4c981549890cb9c3cd6

SHA1
51b324a7d66c8870e3a3c9604c16344a3d3c730e

SHA256
00a7fec9fff2ef4186593963c51c707a17edc3366eed72459f331c64b5ec6e4b

SHA512
43adc64269770566f1627b45ef35d8cec7a92747bdf5e837d6bc3acc4eba089c72601a8a76f3cf13efd42e8c92075f6fb93720be38a1e27b056fec334d8ade9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f7e94b57ebafbdf65646e4c72d37be44

SHA1
e5c7bad64bfcae2800c50e23bcf0fa891f8bb84a

SHA256
f9b43f4f9fd359ad6c6bf1e2f5120b67fcdcfdcc45aed82a53c94a6da06fd65b

SHA512
745d6ed232cfe110fba3a74dfb90a397d8ae69e2d2a4aca22479371c0e2192340e22554569440a9e4532a4d76efc07d59d58dccf986311f3db6d2314aa8b131b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fd37a494a78e3f47f8ee7cdab29cf829

SHA1
8a3cc1be34c7ad3aa1267e7b6dbfe419b8f0cf07

SHA256
2c7b8faae43293286c85caed030b7eefafd04fc453921e4ed4c3f766d4788a7f

SHA512
62af68d8dc7641f7c63af44dd80881c8391b6d255d628e4ad3944378847e8e90334c81cfdf753b8ed45fd900c86d1edf5b7ab8bd373435aaa9a3c5e433ab25dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0a74e63e8766f12b857ac21d3130647f

SHA1
dcaf35b53d2a8a8e41867b6e6fe38b763e8c979f

SHA256
18ae4fba561d3a57d4d172e184fb5bf03b1f57236aa57550c641c2185ac25552

SHA512
b5b3d855a37739f2c6d914577e7f26bc3514003b8ae808fd9583b1d4f1a412976926352b22dd930df84ee458e7aad05db998e31235918f29aa6a0c69ec1550ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579848.TMP

Filesize
48B

MD5
0cb019788771ebca43ac65e36f69a6c2

SHA1
029057c6c9c502232449e5ed8a71fdf7c58b165c

SHA256
6321328779086f44868fb81aca4e2934a9b15576d51b69dcbf8686be64b44774

SHA512
c1ccb9e918cb07c7cd0022fdc16b1590c659daf2e596d338af0618de305f9c14dfc3811b40a1418b24edbe27c4a6367909d012f0933636513308406fc1b22e9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
d60bcefa901d11e9156c707eb67d632a

SHA1
0588242bea020984fd55e67b431130452527d25b

SHA256
4c8459df655806577943aa04a4652fcdd4e0c636aba620a3bbe79422afb350fc

SHA512
1caefe31d0f11a9912b283890627ab5c74c35b1e337f924cfe7be8fbbca3663301d55072b3c58c55233b7178fdf7fc4d871ef6a52fc43f2d1b40d6e1f05b0713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
181cd718d91b97ad3348921e8083be70

SHA1
e233f0924d723d767c3133f6b6c96e235090b356

SHA256
a13c7caa9c5f13acbc068c6b0ad901a3f4953395b6445121e17c55d1541c408c

SHA512
dc575d0f1d0a77075518b81998f1786a94de677a02a2065ca114986b6edc3b7c93d1d69f30c8799058dd8905d3cd38a70f7a057ae00b1c55bb16f44a3cff28f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
4c0e6e2b61a9572540e3d5b8d7ab0055

SHA1
78ba176da98842a4e50a9c6af0f6103477ad77a4

SHA256
17fcb5ba0c8c7bed784d8af34f004c837f14be3a8d1e4f25ff2b0d36a8774094

SHA512
38fdc48913542dee4b998130ff9ee5f9ed512007d26c5ff4abb6da9db1860f78baeac38ee4c8afd8d9e79375934277b5c75ed12265d2d79519610d1603ad2096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5776b6.TMP

Filesize
97KB

MD5
45f7e517a79d839a95619a67d2578497

SHA1
ee4e9b8e11a7f3a19022685f7ec5744ebbd12c9a

SHA256
11912903927f3075e7fff99cb799175da361103495b303db92e4bc92524547c3

SHA512
ed38db65ab8ed68125493e09ea5630c4b6fcc4c61a827a65767d9863df46830ffc7af0e21bd157b679e1d44d14ee2d11b6b605bec4de89dedf27bb46b99aec24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit