hxxps://polo[.]feathr[.]co/v1/analytics/crumb?flvr=email_link_click&t_id=6356b996c1fccc23a0986068&crv_id=6463f2e263e449c697f8129f&p_id=63f8eb47f677980531c7036d&cpn_id=6351a37c0a37531d83bf8948&rdr=https%3A%2F%2F35ipd0[.]codesandbox[.]io%2Fereg%2F/?register=a2lrckBzY2FuZ2wuY29t

Analysis

max time kernel
402s
max time network
404s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://polo.feathr.co/v1/analytics/crumb?flvr=email_link_click&t_id=6356b996c1fccc23a0986068&crv_id=6463f2e263e449c697f8129f&p_id=63f8eb47f677980531c7036d&cpn_id=6351a37c0a37531d83bf8948&rdr=https%3A%2F%2F35ipd0.codesandbox.io%2Fereg%2F/?register=a2lrckBzY2FuZ2wuY29t

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133289873561022795"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
772	chrome.exe
772	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1176	4052	chrome.exe	84
PID 4052 wrote to memory of 1176	4052	chrome.exe	84
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 3204	4052	chrome.exe	85
PID 4052 wrote to memory of 2664	4052	chrome.exe	86
PID 4052 wrote to memory of 2664	4052	chrome.exe	86
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87
PID 4052 wrote to memory of 3236	4052	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://polo.feathr.co/v1/analytics/crumb?flvr=email_link_click&t_id=6356b996c1fccc23a0986068&crv_id=6463f2e263e449c697f8129f&p_id=63f8eb47f677980531c7036d&cpn_id=6351a37c0a37531d83bf8948&rdr=https%3A%2F%2F35ipd0.codesandbox.io%2Fereg%2F/?register=a2lrckBzY2FuZ2wuY29t
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a3d29758,0x7ff9a3d29768,0x7ff9a3d29778
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:2
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4600 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4900 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3308 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5024 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4560 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5156 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2612 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1136 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6120 --field-trial-handle=1836,i,15731100094978461943,1132458812818716714,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3744

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
78b370dcfb85d6c37f9c3c1a2f7936fd

SHA1
b50f856d9db95b341f4f0598f7fca023a7f2954c

SHA256
b3e0540b5621fa00c803ca018a3a4ba65d6ec10bba842f50855df43292f26971

SHA512
995f17cc5c8d22e2830c1983276321cd157927ec427c2fbb57b0979aa03f0542d394f8059d20a88f29534a76530339607196f3b3e29456c9c7a7966be868a0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
88d9e8533b0fa6ff603589e8d08970bc

SHA1
a86d429d6ab9962822d076ef38f20f9e26ab59c3

SHA256
a95f8955de6c87597e26334d1b45a3bae3a62604948443c03abf38d2da609aeb

SHA512
4daba996c688974d0f06d0148bd699c07e1ed595d7e7d74c89cf81c90fc7ed2c8f4120819432322c8b4595fe7c32472f8d67a0febdaa43dc246e7ab5d12b037e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a0e1b8085806f8bdbe416712a7e41498

SHA1
adc0dc2239a667b540bf859882b46130c2df5147

SHA256
1576bca9c36a9d7d429750e99f436965fdda6d2614f91d94e487429a5a6ecaa3

SHA512
9d1749845e15f82c63c45a989571c1dcffaf0a040fa0e879fde0dbbcf4f0419d8d95039963c49e658d62d899c84c17cbf67d80a1dee68ea585313c0c48c8c9fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a5e0aaa5beda457058013ee6c066a72c

SHA1
4d4bf5223e9c94bedff7bfbec6202c836643c55f

SHA256
4347c6c2b8f01adaece8f93c790326959a4529c11b829907b365636beead4c07

SHA512
3a8d0a491606e44caf94d07078c9c7143aa294dd016775f1748e6c9700c9c34d1ab2ffabd5ca771ec9fa398288856ee3efa54bb08767d6849cad1beec6413d1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
264e685c278b089d27d1c019227af602

SHA1
c6d898d4e6b79c056afb33882e03399211342583

SHA256
a706ddb8d3b6893ab6ca18136c680935e26662aba98cc3ebdd95cdec7a780152

SHA512
4d475833c90a9497e04893852b3299bfa28056f269ff30f465de99d23b40cb45657a835bd2372ff2c161d3e6f1d02a4aa0f9225317e3260bea0dd84de2e3e1b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
6b06c20fc843cd88313af3745de608aa

SHA1
2a440e9f4852b5090ab5c1943d7074b21eac7951

SHA256
5da0aff8eb12629f5f21b620f8bd29dca7cb3f27d60da226ca7c3bb96b5c2f41

SHA512
c4b5ab438c4d79ac72eacdf5419558c342e450d9a14f42d3937df3c857ad6e9e2918322bb445bb5d7d0808f2b270deadd6d4633876adf7986237b9f9de09a969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
68617244f87b16285cda7e0721610830

SHA1
34953086180bbc98070723fc4a004e4fb1da117b

SHA256
a2194e0c558d046dc8e3aa948263dc4c0082ca6b800eafacc5db4ea555f252c7

SHA512
bbde3195aa35af3ce0f4f06ebf587c6b361a5c657c26a2710448b65578d68395f7214a704f3412f799966ce0b5b7219f4ac036fe9452241ff85f971e14499873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
3661ea5056376ecd99b8d31e630f33c2

SHA1
264983911773e60dd158f169edd130ed77f3f16a

SHA256
2a70777fa8fbb4905df1aab68fa66b9ea303fe6b6af1a04ccfb8f2eb0fecce8d

SHA512
e5c953489b70b2b219185fcfca76a168439816e81b330a4ccc2e8d4f251eb6a5daad5bc16d1a715b594c0f7ef52e9222571e83fbd1a56dbcc73c192e047bab2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
79a75596497debf102d3c44dfdff3d91

SHA1
0e46694ccec97613c96d194f88f7c16dd9abc9b8

SHA256
56519bbc1f6aeef7d1539a930349d2d496b3443e6a12cae390f3082dae68411d

SHA512
e22251c2384eb2724e624d8be4795667c586d4e0fbcaaeebe5eb6dd979908058dbfd177c84bdec7f9db2f7a09e6951cafa2661d2854ad3850efdc176f74bffa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c47ae0e5e5c716b055d59530ace40e7c

SHA1
6d6cfc2cfd195de178ab53dd92d88eda3d63a39d

SHA256
ba5705a6a131deae953c6cb31614a2a940d19d1b117994db7baa6a64786ad221

SHA512
8ad779ee3e584b61e5fe9397968b157597fd2fad5fbb9997c72a422f87c209365d97cb5d5f8f49098f7ee6ec514359fa06a888b5d2684ae0d0b0edb8572a9cf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2e5e1b47581457f6fcc4ca00f89e6391

SHA1
593213020bca74f2872f7ff2b5842c8529acc4e0

SHA256
ff091fe220900c72b43b4518c0290c6ea09c69fda96d30778e20ee57019aa207

SHA512
9bfa9e390e1ebe4fffd9536a97cd8a78c862239b8f0ab49a21b0262d0a68e1a816bf30622ec119da3d8baf099cb6bb0677dab1c4394786bb0212a6a8e8b9435f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
26eed16ad19210c1337966e90f2e7a4d

SHA1
4e6193b8cd25446785c32ab7722d264c032120c6

SHA256
1524636ac2546c4d5ce49b5cf6527886f7b100f97603a557e8f4dab3d3593722

SHA512
5cf8b80c5112686f1e1e9f67c98c1584d45c617d2ae1f11f6968510f90afcb3c587ff2e4abcbe58f2c87ea3d7745f0c09594a029af5769c28e48f03c3f40a305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e1c1f4b360ad1e986f95c5902a91153

SHA1
4f2085f29434d16dc2ce270cd9743b40c859d172

SHA256
b7f2371df588c8819b40a4cfc6ae6be17db5c4ac9f7c38c3d3776f79c743d3b6

SHA512
4d218a4d4fe817b9806b4f3f8f53734572bc14ee02ae956fd4130da29ef80c9c974ed2b861173636c6bf0b0aa0707981fe6d48d817268b504660d679b7253bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
9f08c54977c966728236164f1b558b67

SHA1
88d8af9d2eb1886d69082bec500b2b43984a7abd

SHA256
11bf5ab89f0e7a132822bd24deae43b6032c7be366c8807fc38902f635dee5f3

SHA512
6093798989c8e4a5e79157ce807edae35d1db5a7844b06225d77a554a6297720664227eb702168346a7a1e8730df3a4057daf5fbb3febe60bf0c9e6bf651a3b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit