hxxps://links[.]news[.]hims[.]com/ls/click?upn=2z-2FzTKT3vZmtHHFm0qSZEDZg04YgR1rMNlpNlTD-2BBXwDRnH-2FMhm0MoGTk2c4BuCM086J5A1hHU42Shv-2BT8vLVU-2FAZAOwkd2Kj6JYOgGgTdR-2F5kWoy3sUJppIN3nf77b7aeP7FFbpEEg-2FTtKqlAkT3iq6d3BMCwHUQk0gMMS7v1coei7YPo2VP1hxNYQKXOV4pKWaYfdW1V8FkQwORRggYA-3D-3DTxGC_8NmjMJ0SoJOoyVQg-2BQIbGLpsKOOW9VtSI9H0VlRWp9lF3JD1XjsWhW3xqf5wJ6xFvC29p60kUZE0iFojYfLsRsRC6d5gCJvcNecbdQQ-2BiyEE6ilw0Qa16uPik0mfouPYFd4holw5bVj1EKEQFeoTSoMfwgt-2FH8OmeDPIyPlhTyu2mkeBt6gPpqz5CLcuMf1pWHjrzhQfSj0ygrYdTbuU76WIDF1hh1KlUPiVjFL-2B-2FVfhCdRpKHOFony7QfOjo0rAfJX6PMzpNfudUNp-2BXgGIozSfIhrZ-2B7wpTO8X1-2BqXbedVQlGm65omA-2Bp0hEX85RowBrCkyl0Q9LFhSTIqlDs4n-2FN-2BpL-2FRBXALBAqZFZRf5nwL9zsBdMox-2BNKhFPD7tZFu2Ih-2FHdiQTOhSf1AQGdH0TUZhNSJzFPsYBTgcyTeygGt1ytcKXZVLzTUV-2FivhvpeD0zv7gIHNzFGO4l3BWHBNnZgHrlm63HMPDvyI4KY-2F6cxyWCJyLGXBEaDYqar48ygaEkOk0ru1Ng4739sOE9cTbL8JRlpcLnLbxnclGGC-2FrHn9uNOcUySZSrrQh6CHb9-2FpF-2FhGaDJtfNoFQWz3Kfnx6Mdo8Yq5rJOT5vwujj-2BFXSmuPFPmhRcYaD7UbQLiRY0taZVWvvc4bMwcdvWkLg9NnZP-2BpS6Ly0gM-2BFMz-2BHGIT9g7h-2FEkNpIZqk-2BVRory1cE0hy0TNtXcXkFSHMdHtT4lyCXeBRKC3xFacK-2FbJVoZxmI-3D

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://links.news.hims.com/ls/click?upn=2z-2FzTKT3vZmtHHFm0qSZEDZg04YgR1rMNlpNlTD-2BBXwDRnH-2FMhm0MoGTk2c4BuCM086J5A1hHU42Shv-2BT8vLVU-2FAZAOwkd2Kj6JYOgGgTdR-2F5kWoy3sUJppIN3nf77b7aeP7FFbpEEg-2FTtKqlAkT3iq6d3BMCwHUQk0gMMS7v1coei7YPo2VP1hxNYQKXOV4pKWaYfdW1V8FkQwORRggYA-3D-3DTxGC_8NmjMJ0SoJOoyVQg-2BQIbGLpsKOOW9VtSI9H0VlRWp9lF3JD1XjsWhW3xqf5wJ6xFvC29p60kUZE0iFojYfLsRsRC6d5gCJvcNecbdQQ-2BiyEE6ilw0Qa16uPik0mfouPYFd4holw5bVj1EKEQFeoTSoMfwgt-2FH8OmeDPIyPlhTyu2mkeBt6gPpqz5CLcuMf1pWHjrzhQfSj0ygrYdTbuU76WIDF1hh1KlUPiVjFL-2B-2FVfhCdRpKHOFony7QfOjo0rAfJX6PMzpNfudUNp-2BXgGIozSfIhrZ-2B7wpTO8X1-2BqXbedVQlGm65omA-2Bp0hEX85RowBrCkyl0Q9LFhSTIqlDs4n-2FN-2BpL-2FRBXALBAqZFZRf5nwL9zsBdMox-2BNKhFPD7tZFu2Ih-2FHdiQTOhSf1AQGdH0TUZhNSJzFPsYBTgcyTeygGt1ytcKXZVLzTUV-2FivhvpeD0zv7gIHNzFGO4l3BWHBNnZgHrlm63HMPDvyI4KY-2F6cxyWCJyLGXBEaDYqar48ygaEkOk0ru1Ng4739sOE9cTbL8JRlpcLnLbxnclGGC-2FrHn9uNOcUySZSrrQh6CHb9-2FpF-2FhGaDJtfNoFQWz3Kfnx6Mdo8Yq5rJOT5vwujj-2BFXSmuPFPmhRcYaD7UbQLiRY0taZVWvvc4bMwcdvWkLg9NnZP-2BpS6Ly0gM-2BFMz-2BHGIT9g7h-2FEkNpIZqk-2BVRory1cE0hy0TNtXcXkFSHMdHtT4lyCXeBRKC3xFacK-2FbJVoZxmI-3D

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133382226151389100"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3648	chrome.exe
3648	chrome.exe
1260	chrome.exe
1260	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 1928	3648	chrome.exe	28
PID 3648 wrote to memory of 1928	3648	chrome.exe	28
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 4352	3648	chrome.exe	88
PID 3648 wrote to memory of 3804	3648	chrome.exe	89
PID 3648 wrote to memory of 3804	3648	chrome.exe	89
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90
PID 3648 wrote to memory of 696	3648	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://links.news.hims.com/ls/click?upn=2z-2FzTKT3vZmtHHFm0qSZEDZg04YgR1rMNlpNlTD-2BBXwDRnH-2FMhm0MoGTk2c4BuCM086J5A1hHU42Shv-2BT8vLVU-2FAZAOwkd2Kj6JYOgGgTdR-2F5kWoy3sUJppIN3nf77b7aeP7FFbpEEg-2FTtKqlAkT3iq6d3BMCwHUQk0gMMS7v1coei7YPo2VP1hxNYQKXOV4pKWaYfdW1V8FkQwORRggYA-3D-3DTxGC_8NmjMJ0SoJOoyVQg-2BQIbGLpsKOOW9VtSI9H0VlRWp9lF3JD1XjsWhW3xqf5wJ6xFvC29p60kUZE0iFojYfLsRsRC6d5gCJvcNecbdQQ-2BiyEE6ilw0Qa16uPik0mfouPYFd4holw5bVj1EKEQFeoTSoMfwgt-2FH8OmeDPIyPlhTyu2mkeBt6gPpqz5CLcuMf1pWHjrzhQfSj0ygrYdTbuU76WIDF1hh1KlUPiVjFL-2B-2FVfhCdRpKHOFony7QfOjo0rAfJX6PMzpNfudUNp-2BXgGIozSfIhrZ-2B7wpTO8X1-2BqXbedVQlGm65omA-2Bp0hEX85RowBrCkyl0Q9LFhSTIqlDs4n-2FN-2BpL-2FRBXALBAqZFZRf5nwL9zsBdMox-2BNKhFPD7tZFu2Ih-2FHdiQTOhSf1AQGdH0TUZhNSJzFPsYBTgcyTeygGt1ytcKXZVLzTUV-2FivhvpeD0zv7gIHNzFGO4l3BWHBNnZgHrlm63HMPDvyI4KY-2F6cxyWCJyLGXBEaDYqar48ygaEkOk0ru1Ng4739sOE9cTbL8JRlpcLnLbxnclGGC-2FrHn9uNOcUySZSrrQh6CHb9-2FpF-2FhGaDJtfNoFQWz3Kfnx6Mdo8Yq5rJOT5vwujj-2BFXSmuPFPmhRcYaD7UbQLiRY0taZVWvvc4bMwcdvWkLg9NnZP-2BpS6Ly0gM-2BFMz-2BHGIT9g7h-2FEkNpIZqk-2BVRory1cE0hy0TNtXcXkFSHMdHtT4lyCXeBRKC3xFacK-2FbJVoZxmI-3D
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6f409758,0x7ffb6f409768,0x7ffb6f409778
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:2
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5172 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4996 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5400 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1876,i,10200762819270996174,2596318987701889773,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5dd6b8c2f12f90fb2badb83ad66c3c3e

SHA1
a468dd2d6c2141e0e5356b5711dbbc7c1d4f0da1

SHA256
785e0847a11b4e9c77146a88f05342c8248dd638c568ff8ac6de89f5e58e2184

SHA512
dcf6db841b813f34cbe01341fe58653aafbb19c593af9c84027690acb6c51a1d3fad7c74c502d418e8af449fea82fe8734bcc906e70aaaee6f1e0b93307c7510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4c3ecff6c48bd6aa66873fa15e703124

SHA1
c5f26a124669ce1645b0d03e416a10df97d0251e

SHA256
0332f427e669e6ffe9f87620d16364647f9eb4ab2b88d7f99c48da505c4dca9b

SHA512
f30ec7d2c2e75b9edc4b5e9d1600a94eda5a8be4822cf31364ec75d144770ae49462f8a6e061e19d998a04868b522f638dc0b241e21637b765062c2bd99283b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
64eda204a81b3f74feadcdf014e49dcb

SHA1
72761f11537f1b253e75a21c6648468f83b1690d

SHA256
44930ed87eb246defa55de314285ba07766ff46da8bcdc7889f7d9e0f5e2a3c7

SHA512
cc725b36b25bb646eb1902c245e2e2202e956817075b47bb35ba403d5301455fdb19101f0bd71206c67bcdbc8a5a57e26c13b85645cc0299e0c840c7a170537e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
cdbe55745ad1e10f75ae8003a1b75784

SHA1
68588260bcb780ec4d8e004e34cad4bb699d4b0d

SHA256
4035bf4cdf32af3ab2a7b6be2b18a31544eac182092c36e031cd994138eff627

SHA512
a18ad795605539841f773ecee83fbd0bac6e2b724e09350702761b692b6f18feb0ea787aaaa6e5491c4766aca08efca7203a7c3bfcd9866aab15962254b04041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b8ffdc03182d7fe06c1802226ad5e819

SHA1
81a7dddbde86c5a39ea21c73d5cf9c11e73aa294

SHA256
27c277e3a5f7d5b5cf193249eb6431ce7dd14b64293073f9f705a2004bb387a8

SHA512
7a69f73720da5b1cc8722977b6670582571d70229ae0f5056602ce108d9f65b9ab26eaca650e30792b3a372a04150ac7dc0c2fa02c43eacc2d07cdcf4d55dd84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e74da3440f653d52548c75d5e4850fdd

SHA1
135a614befe029b6d9bebe5667d8458d22800808

SHA256
f82d9c6fb0b90eae6736644d7848f20cbf8d54a32a5586616f8cb24f33eb3b30

SHA512
378e4c02421c5d9b801bc08a43885f204d63dac00cefad976c80cb9183f08326f6c29dc0e406c13658b4ba3dc011e600f2135e780aa805e7e04640ab90f2851e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e03e.TMP

Filesize
48B

MD5
9f48db95ea5f556a8819e979bbd4b7dd

SHA1
480697de0e6a6a5d557def5b9ec6cf26feb801b8

SHA256
aa3836657073fdf043a9e2a667722b6f3c92aef9cf12aa8c2dfa50d496031637

SHA512
f61af4bf1f398e674d8c752b2cac7450b5c0afb271da1880eeee70327b2e5250bf1a8067d3ec794b9a7181833d64371aa71ed3f0009f32c327e60d72dd04e49f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
6a582f10671efabd7185dac320ec656e

SHA1
9e1c0557f3064d9c0cbd9416fc3e3206deb28cdf

SHA256
b2cbcd7c871f0dd7b652e6e7566df749763cf0b02549e8847972d2c54618e442

SHA512
df72132a95b88412c030e9421d4711384de6e6f66a947caeb81a068e0fdd48f39d6293b67b5cc8bf5ee331c13769ea368e0337c78e58696ed4ccc4164f3e2635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit