hxxp://itnewslibrary[.]com/email/unsubscribe/d849bf7a-a81c-4cd5-b805-1b2427e3aad4[::]C

Resubmissions

19/12/2023, 14:21

231219-rpe8hsdhen 1

19/12/2023, 14:12

231219-rh7n7acgdn 1

Analysis

max time kernel
300s
max time network
291s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://itnewslibrary.com/email/unsubscribe/d849bf7a-a81c-4cd5-b805-1b2427e3aad4::C

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133474693268943533"	chrome.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 4076	1148	chrome.exe	50
PID 1148 wrote to memory of 4076	1148	chrome.exe	50
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 3588	1148	chrome.exe	89
PID 1148 wrote to memory of 4228	1148	chrome.exe	90
PID 1148 wrote to memory of 4228	1148	chrome.exe	90
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91
PID 1148 wrote to memory of 2372	1148	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://itnewslibrary.com/email/unsubscribe/d849bf7a-a81c-4cd5-b805-1b2427e3aad4::C
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa91c79758,0x7ffa91c79768,0x7ffa91c79778
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:2
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4664 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5408 --field-trial-handle=1860,i,8375273016350432324,6264535654015953990,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\30a6453d-bebb-423c-aea8-1abf27257292.tmp

Filesize
6KB

MD5
59d8ac4edf269632b9836148afd6447a

SHA1
5882df40195ba5a38a8c4a67e24133346d00ecf2

SHA256
0251b7ae17d637be5b2a369e541ef340d2ff6ef5083428da7298626d4ad61cf0

SHA512
4eea3c82ecea842817611a1c57ed98f30c70a817c75e8f808e5bb413b85a3447745915ff55d43f6fede4d68f1d16a3a82f7e7c5d5f933b3a56fbb7ea97eaf082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
5f6cafe74aba0c626c61b12de6fe5bf6

SHA1
db8142d533b583858d8792c8b647b6c450573cd1

SHA256
89fe1c6304975e84572206498168136e3d91b1a0a3ba282a718e766e1f5a87b6

SHA512
bcc7c3767d07f0e866fef59e439871f7f19c8916657a3864c362337e8c0b4c539f1e689ad81b772425926da3a95348ef8bd8f81a437c47463cbdbd6d9bf294c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
23fa339df5ab6815f3665a0ad3823b0e

SHA1
7b9ae7ecd24618495bf65f480bff18d1459ac6b6

SHA256
d1b91ab004a83b2253bedb2fe5e1328f20f90c0cd8fcacd60751da12c209b5a3

SHA512
c399fdd795ac837a5515173e0dd7983c2be6b8b8f9b97fa8d9758e90e2ce8bad24c0312f32de17bb5f7139bce9fc8b2ddb341c1cf8fbd826ad20d0adcd170925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
5c4afcabf87283beb4f63031231cca58

SHA1
4dcd094f015957f11e9e9b122bd52ee76dd143eb

SHA256
07594cf4a94bbe5776cfc336f1cca017ec3c6fd963427dceeba9a85106fd299b

SHA512
b26ebbccc21377a22ac2562a6ac82fe1c8a1c47c1a9e8d9587573d083b37a037d908e4a3049dd7acc8b6e0a04c091d1c2adc647debdfc028092a810dde17135d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d371949b8c671bab868b6463f941476d

SHA1
811652c10200faa6b3ceb8bde39112737e99ca13

SHA256
6e0c4e41ec353da911fdda63d0089225af56973c6cc284d9010bcd7bb6a0fd65

SHA512
65a4638c81333e7ebd04d19b478ff3aa779342c234fde94b44db45a07e53d9fdcb5b03f147fa1d90f301933747815c288f66953653a6f47a9ae1583c138ce873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
135KB

MD5
dc1245144b257445ca582b7fae6fe7f8

SHA1
dca8f0f7fe8a87bff85f1fc79470713906d087be

SHA256
23eaa01299b93034c1d1fb76f7635469eb2d51a93d7871a5c5fb5c99959234bf

SHA512
fed1ae619318549ea5804f0a8901ad119d63505660a64ac23310ef9cec2e1053a0cfac3736f138a81a488f8b35f8de5694c118bb97e1198a42be3fcdcafcbb4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
22ac666639e41c04cc9e70884424df4a

SHA1
36687a12024756dbd927ffb2b6895c335ed33bb8

SHA256
f91037e348a0e88f14fd7164b478c6af26b4ac40435b517d65e1adfac748b418

SHA512
7f86f9bca4d779594b4d4fbc552c819516ad4e97b51c63edeadcc72e079d416e62f6ac27b54e114275b7ceaca901290d1dbcc092af1051b79612d8a80e535ceb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a6d440c573f04a186e8f515486df33a7

SHA1
935b9a01c68cfee813bf00af14c795741b2fcf3b

SHA256
811ad44415de35eb1f544d1fb88b7d60dbdcb89f67d80c7e6b5b2f8c9e12ab69

SHA512
89fa2381befc0c9ab849afa503794e32ee9817c112810d36ccd0ed6f57c3ca0ab2ae04fc89a0fc90dec7996673c66c8ef60237f2a05857f8d796db922a69a75d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
b9ce5a0193dd0a818a1522b4e2a4f463

SHA1
8f2c0be214440b5e2fc5dea68724942391c97688

SHA256
f8533121ac9c1851ef27282e54e19a632d99983302820fd3bfd15d92eb923edf

SHA512
409566217e199bb693406b563399cad61b13791f5335ada088a6dd0de789a4724694c13eb184e5d7e758ccf88270c78770446e854086491cb4f097c1979ee8e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
0b2bef1c5db8f256605bbdb52dc03f34

SHA1
ebbcd68cd4c2ff6528a75ec23e472da22e95a25d

SHA256
7301fa0dc44f304edae34678392dd53d79cb7152587a4029be5ebfc8f26b545a

SHA512
cddb8b83b98eb94590a647b774097c4be8067796f8bade06355fd1df589759a5970813be36ec6b4d0951f2940d0717a432f3f757c8d0aece27eb02ec3758d8f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c757.TMP

Filesize
101KB

MD5
6fff8a175596052265c7e1f7b2b9bb32

SHA1
b9e0948f3089c2a3676eb2d5b361bf69b5f6cb67

SHA256
ffb21546281075b4ff35395dfc0d7342c71da9892c4996e15120fd73b7459622

SHA512
e68f76bd201b3c8e4e99ae2a820f834fedbe189aecb788ca0c7c6a0aba0720a0f751aed7f4e19264a30426fdb27c638aec5a03e028e4c7f879d198ee51a16d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\50f2a77f-a36f-4246-ade2-074a1f324e27.tmp

Filesize
33KB

MD5
e3f7bc08d64066ce62321f854a800dca

SHA1
c8ee58c1d750fa37f81a4986835cbb45e4feb6a8

SHA256
fa6679f7fac11a7d4096a79437810e9f7b41364f80233042d351c99cae34f803

SHA512
601e214836d23fc0004c7fd663f04248e3e8eef4efce07c9ad5ee89585f7511575db6e88886458e692648e44591620653df999e357dbf7d65a64bb1bfcf01cc3

Download Submit