hxxps://www[.]realclearpolitics[.]com/esm/cache/importmap[.]js?v=1[.]1[.]6

Analysis

max time kernel
150s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
18/07/2023, 18:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.realclearpolitics.com/esm/cache/importmap.js?v=1.1.6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133341769054963727"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4232	4128	chrome.exe	69
PID 4128 wrote to memory of 4232	4128	chrome.exe	69
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 536	4128	chrome.exe	73
PID 4128 wrote to memory of 1404	4128	chrome.exe	71
PID 4128 wrote to memory of 1404	4128	chrome.exe	71
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72
PID 4128 wrote to memory of 3060	4128	chrome.exe	72

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.realclearpolitics.com/esm/cache/importmap.js?v=1.1.6
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff0b629758,0x7fff0b629768,0x7fff0b629778
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:2
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3376 --field-trial-handle=1760,i,1141162660544446548,8967565028486595228,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c04b77aa0d33109c7476fecbbcde711c

SHA1
e941f30a40ed6c1edb8d7e93a196d888a9496824

SHA256
b51768d2187a80ae46a0b9d55c02a68cef0e042a575bbf465bd90cf986469112

SHA512
56b242a09ca8679272d85a153081b4f9e8d1f14ee8214dbf7ae691d53522f0f5d183779d084c4b293793994056a810a3f74386ec8bc502995a77171f8f040e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f5c3da8b39832728ed559c1f97013b70

SHA1
f1d5cb0bfb77af25ae903eea89d079195d2cb561

SHA256
504abe2f3287120058c30f1639e160fff9257670229a36a933d7739b4d57c89b

SHA512
d39afdd4d6bdf2af7b1dc6d9fd5cdc70c5b84ffd76bd14ef7c02549ea2eaa7abc9b3959a1d0e8da169d4b43d5cd19c48f18222fa9e9dbd91d8c68eaf33a93837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f989cd5aa87d1d41c83c1f3e7e5f32e0

SHA1
2dae0c07cd0c564de58f534d91c0cef8a17927cd

SHA256
29ea43d813a9f368f88712fcd854908ec2fff75cb7a61e2d9b756a01cafbb16e

SHA512
eb034571195ef632e8c642c448825b8adc4fc7b3d21a4f29b4fa704c25d158df830aa275c19988d895e82e363f436720a99fce6382919c11e3c1b2c19f32c1a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
520ba4358954989f31aa680bf70c9396

SHA1
b0b319071e369e957754591af949b62a94e4a2da

SHA256
5d427926c6ca40975623f8d78ae19d71693ee7e6f52a197935aae0412f9f51ed

SHA512
1cdb10c508920a94eb2514c76984d70a58dea8afe9317eaabe1553f20d9efe7429aa2e5c670bf941e9b13dc5e81d5eb14b5e4365aae9c2f9eba17fe6bc3b8f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
0ac3a367527fb7e3cdc62d28e92fbe53

SHA1
a3e19b8084a4119ccc9ce406929bbefcdec63795

SHA256
56bbbd855c2e019d3d6dba7007bac4870ab2608990414ff714ab1203ce348c0f

SHA512
75092caad4e341f86d8a1267f4dbf0262cdc041a3543f3a34e835ced18447b4b0de770a76811f116df56e574d054a3c494698e0d4332314c4d1fbb38f06971cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit