hxxp://links[.]mail[.]service-airfrance[.]com/ctt?m=22412736&r=mtexndk4ndu5mzi5nws2&b=0&j=mja5njq4mdm3mas2&k=usabilla_title&kx=1&kt=12&kd=hxxp://jLvMjqE9tGvTWC099VaA[.]uchumayoenimagenes[.]com#bG90dXMubGVlQHNnLnRyaWNvcmdsb2JhbC5jb20=

Analysis

max time kernel
157s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://links.mail.service-airfrance.com/ctt?m=22412736&r=mtexndk4ndu5mzi5nws2&b=0&j=mja5njq4mdm3mas2&k=usabilla_title&kx=1&kt=12&kd=http://jLvMjqE9tGvTWC099VaA.uchumayoenimagenes.com#bG90dXMubGVlQHNnLnRyaWNvcmdsb2JhbC5jb20=

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3112	OpenWith.exe
3112	OpenWith.exe
3112	OpenWith.exe
3112	OpenWith.exe
3112	OpenWith.exe
3112	OpenWith.exe
3112	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 948	624	chrome.exe	79
PID 624 wrote to memory of 948	624	chrome.exe	79
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 2276	624	chrome.exe	83
PID 624 wrote to memory of 4436	624	chrome.exe	81
PID 624 wrote to memory of 4436	624	chrome.exe	81
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82
PID 624 wrote to memory of 1928	624	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://links.mail.service-airfrance.com/ctt?m=22412736&r=mtexndk4ndu5mzi5nws2&b=0&j=mja5njq4mdm3mas2&k=usabilla_title&kx=1&kt=12&kd=http://jLvMjqE9tGvTWC099VaA.uchumayoenimagenes.com#bG90dXMubGVlQHNnLnRyaWNvcmdsb2JhbC5jb20=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4cb79758,0x7ffa4cb79768,0x7ffa4cb79778
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2012 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:2
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2792 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2800 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4540 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4948 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5216 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5508 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5776 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5416 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3100 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5604 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4644 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5712 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5844 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5416 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5772 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3820 --field-trial-handle=1964,i,13480876713906282907,11290952151762316884,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument mailto:[email protected]
  2⤵
  PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa4cb79758,0x7ffa4cb79768,0x7ffa4cb79778
    3⤵
    PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
06beb2b179ed8d7eb726106b134ac0a1

SHA1
3d846505e0eea78a861bb4401dba44e00baa96cc

SHA256
6c5c7555020fef6e7483274ca86461be0e2683744e8bd41e6b5f65af76e89ea6

SHA512
5bbe6a5b2659561dfdbda7261f9fa993fab1b84a4dab8b074178f8cbd1107cdd1955a72a7157b5c088a0e6f9b7a65751b895d71554386c11a17249ca3064c810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
06beb2b179ed8d7eb726106b134ac0a1

SHA1
3d846505e0eea78a861bb4401dba44e00baa96cc

SHA256
6c5c7555020fef6e7483274ca86461be0e2683744e8bd41e6b5f65af76e89ea6

SHA512
5bbe6a5b2659561dfdbda7261f9fa993fab1b84a4dab8b074178f8cbd1107cdd1955a72a7157b5c088a0e6f9b7a65751b895d71554386c11a17249ca3064c810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
06beb2b179ed8d7eb726106b134ac0a1

SHA1
3d846505e0eea78a861bb4401dba44e00baa96cc

SHA256
6c5c7555020fef6e7483274ca86461be0e2683744e8bd41e6b5f65af76e89ea6

SHA512
5bbe6a5b2659561dfdbda7261f9fa993fab1b84a4dab8b074178f8cbd1107cdd1955a72a7157b5c088a0e6f9b7a65751b895d71554386c11a17249ca3064c810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
feed57a9d2adc667d06bc34fb623ace3

SHA1
09c8d65ce46ca85c8b6095a90d874448b08df358

SHA256
b9510b5bd7d56486d922fcc0c2e79939f70ae1bb918a39bbd8255c9555b9dec8

SHA512
7071ef667e05a6d3e9ea17bdd7dba86e8f632c096fc622ef4ad88eb5714bd259e33392041c96108b347b00d3f73b4c9a19f9c3f979973d7d4e5a333063c78a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
60b2d18db14cfd8c379b131c315150c2

SHA1
5e6a504debbfe4750744c7d9aefd5327b947d956

SHA256
d2bccb757f6370e964bd975242d61dc5976b3a658b22ea51f393f9a147cda33a

SHA512
69c6c71d435a4b9cd70ff574a552f90fa1e68eafabe030ad53910b764e14b0e098190c55f67cfb9a2e868fbd0a7af36c2c9c7a1edaa46b1e2cf28cec95b5a3a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
848d3105d3f1f67d496ce2f09055b255

SHA1
7f1b42abf7e8e4f4b2d4b5d392fc6bd1163ce375

SHA256
cf9e814cea58d165ab5a1b0edc4cd1faa223906849deff108a2d195f4c47dde1

SHA512
6b13463cfbeafe5fa0c928a94f8cf7f8da88e2f4eb069b2ffa3bd03fe9983b31679cb187cc4b805d57482750ce9e70798cbb031f68ba14112c11066df1b31bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6ebb6ca24d45864e0915d14d6fac0362

SHA1
57df37333e4f834eb2559c45930d98b3f3f681a8

SHA256
76fb1afe71739153e7ce00fdcb647092b1d05cd27a85ce804d74c38f02b8075d

SHA512
b4ee0f969d102165c32201850a8eb517ea237a0cc3cc13982e7e6be8f43ed413e1a4444bba74233de8374a8288d05ef974fb0d8924f811d5658b05d586204125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0b9a141bf439afc046c22be623aa9e2d

SHA1
71ab96538c68a4bf4be4769563d0412d9aa6a410

SHA256
7fbee8c33dd62a779d28bcb0b048f1c00f0d77e7083f84a8896d88871730f97d

SHA512
57064d8bcef37ac84962556328a1073c3cfb5711686f8db5679a8a8e6421c12881f10fc35ab7502658149a8bcb83753568c530cd8d76ff2138b049164659aa7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3a6abe2d0c19b33834ec2857025f93ca

SHA1
1ad588b2a84ce17b427de5b096dd8f6b4494e116

SHA256
cf47854aeca7a036a8cb658150aade83cda3fb63774c2fd6bdc555fc312342c0

SHA512
ebcb8ad1e6d668d4ab3715e034cd8d692e60e3791a67f1cd4e6ca6b8bdb56fc4353dc271d68ea763b97ce3ee606a2c71a854843846bb4f7ab3a039100c347102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
90e6edaadea45be4ae7dcf3da32fdddb

SHA1
b8e328c96c918408a7b2ab2fe3d367016217f9e7

SHA256
6b2263d5103495d1dade2a6bad6e1c5a52f3b1063a19fa18bca30217ccfef9d9

SHA512
1de773d64e0f7149594d854ea8b088e1a7b1a6269d63a5ec7b282f3b733eb77c87e424bc532326340701f58349c7f9f1d6bb1580201d7baf8f5fca852787ef7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
3f512343699915f119f31c279ef60df3

SHA1
a83be49e55b43df151019009638856d5832bf594

SHA256
637294ea8861f9a00950096a0fc1c270a0bffcb58b6ebe5ad7228badc484988b

SHA512
bc6af5285cc3f8e64dd2a9ab1139c6e2612069380b4b1b72a280033e59835877e6e66e68dd434ebfbb40e000e9714b8ea3d30fdf3a16ae4b122da7bce752c5cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
c9a9c54e3ec5f77dc4481d6d2223d0bf

SHA1
4e3fd9caadb0bb2f68dac10ddea684b5eb626d1e

SHA256
c37aed440b90bfcd16f16c8ec87b2c4fd48531694433c08ab2072f2bbd3bf378

SHA512
6594446f6ad8573fc2e173b4ea681a837773e8291fa5c863656901e6afc12121950279b98fd98dea0457f6a42c180bbe0aa3a981011f728498dbbd22fda133ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f83b.TMP

Filesize
97KB

MD5
c8637dffe6d4fb59f0df41de7a019059

SHA1
81d11f74e76d85d77e90b399c60533f2b7b0b3a3

SHA256
5b56fb89fae2506cbf939ee6394fa2fa435bd61f2277b9aa6bbfaca0091f5791

SHA512
a9327e93b86a9b360b3eff4cb30693adbbfb1d11e14096c095af83d93abc0f7166fb56b2a0a3201edaba0d20827c13ed24160663b49ae95a6b248f4ba8867bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit