hxxps://rtb-us-east[.]linkedin[.]com/lax/clk?trk=CwEAAAGNTWXNjoNdtBWOKoDPikJOs4TeJUfMn27vYyuj_WDulcLRSSh6ZYb-pomeyd4l0SFXCKFJX9FPkxtIcvFabF6V0AXPG5WoKQaKRMRhhPa7dPCSBWINcttkMNQ-OCJfN_gzofwtt1TCHCcXPmb1MJpPC56Z5n9MrnbN8cTgQdhP2QD-cOLgX64rWAriZKuLUK-4HOvVA3RF3t1ORjVOOHXoBaCdnlZljdUD9Oo4l1dwlEoVa_PPIE4GRndWToETpEmdlRAmVhHUqHcdF9g3RKLaLNQuaWay-gOsYOz73A8lCYY1Daq7cXJuSoTvpOGDM6ahvI-gvE-SOw39KnSndYNM2bpQKhILkzEX36LadpQEvJoe6Fb6kPLyb-WFBwZz6XDxRRt8ezXHVIcG4aLU0OQdqrB2PHVnVz3QLy-6uwJh2vEiXW2Sb3KecmR0c9NjFkWzF9JIL7wlQJz2J-WRZfUWmbJzXZKkG2Ii-pGnXy3Spe2qPGPUxXcuFy-VJLA8bhCq0ZL8QMrvYQZVhekkRwwts1ECH_XEuscU2aqvan6Bv9WBPhRW-9-tjsKnScwv5qThl1nau2tB2-xFWg9Zyz8W0sQV1RuE-4EoVtcdm_KZXVWxL5tNv2MuKm0A1aeNQmi_R-6EGAsYbCMZcDLQLXlKEC8cXx-Rg1_Sasxbh7v9qC9f82eaDgqji7W_UF3rolkXcJ0x-H4L0Ue10FR47vXmoGnOUhdQSItiK62bdSZsNpGOdwde4mdf-FcPTWK9ZnHGdNG5VorhZrmcJo3v_ZVT3jxTUtttQ77MV-GZGLetVzv1bMSTzgmwUsIB9CdjHC_DfSsoTFNkoKRjlBLrztIQSR9_XA3LvqK-nxJCWvOEYnamLICIRZVnqkdAlC8MYmPPaYzXJ4lnDjhyAuSwTTMJP-6_lRiLBq1r2-bLqMz7HwBG59bSqwqGdbFOi-1JNtwVCS-N0SWMktmFi04KgDG1BGjInfdn9XxFpCoLSpUmv12_6IOXJkA0Q1H7Toj2q3He6P3TfTnkDxJFCyrej1ruWuZrnH7D4vdH-_Oe0vqLnrPQ8uxYdvCWABRJHpV14iq6qNPtPMTpxvnMiKAfon343DwBm3k9U8tV99XwsUtIyVbJOWnNZDk5I3mZD88AwyqVJwEdQaRLgvq-Y20rZmU28JRg-l6k_HnvSsX6c2an-6eGTZoo9cXnvzPxHyJg0btfI7Lj9XIrOtpwslQ1sfpfIR-BcTtScolONOITl2XhkB8za3CVLdnwl1GVl_s-nMjpOFkGigeoYJUwKjl4BezhIAbiY9n2oLJOvw6eKBWiVCUPpknkKSIlhkeC5AODwG3D-8G5tBBT4fQjwjSGF-hCfS_3Tk8KuJbEXM1iK3Rg2GshoipcroaJSL3Jn1BJzgjzITZrjg63_LlngmBdDFZMMpMGez1vTU0lq5Zl5ABJgCPgxdOxn5gKBNoViPuMzkRBf0Gj

Analysis

max time kernel
299s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 01:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://rtb-us-east.linkedin.com/lax/clk?trk=CwEAAAGNTWXNjoNdtBWOKoDPikJOs4TeJUfMn27vYyuj_WDulcLRSSh6ZYb-pomeyd4l0SFXCKFJX9FPkxtIcvFabF6V0AXPG5WoKQaKRMRhhPa7dPCSBWINcttkMNQ-OCJfN_gzofwtt1TCHCcXPmb1MJpPC56Z5n9MrnbN8cTgQdhP2QD-cOLgX64rWAriZKuLUK-4HOvVA3RF3t1ORjVOOHXoBaCdnlZljdUD9Oo4l1dwlEoVa_PPIE4GRndWToETpEmdlRAmVhHUqHcdF9g3RKLaLNQuaWay-gOsYOz73A8lCYY1Daq7cXJuSoTvpOGDM6ahvI-gvE-SOw39KnSndYNM2bpQKhILkzEX36LadpQEvJoe6Fb6kPLyb-WFBwZz6XDxRRt8ezXHVIcG4aLU0OQdqrB2PHVnVz3QLy-6uwJh2vEiXW2Sb3KecmR0c9NjFkWzF9JIL7wlQJz2J-WRZfUWmbJzXZKkG2Ii-pGnXy3Spe2qPGPUxXcuFy-VJLA8bhCq0ZL8QMrvYQZVhekkRwwts1ECH_XEuscU2aqvan6Bv9WBPhRW-9-tjsKnScwv5qThl1nau2tB2-xFWg9Zyz8W0sQV1RuE-4EoVtcdm_KZXVWxL5tNv2MuKm0A1aeNQmi_R-6EGAsYbCMZcDLQLXlKEC8cXx-Rg1_Sasxbh7v9qC9f82eaDgqji7W_UF3rolkXcJ0x-H4L0Ue10FR47vXmoGnOUhdQSItiK62bdSZsNpGOdwde4mdf-FcPTWK9ZnHGdNG5VorhZrmcJo3v_ZVT3jxTUtttQ77MV-GZGLetVzv1bMSTzgmwUsIB9CdjHC_DfSsoTFNkoKRjlBLrztIQSR9_XA3LvqK-nxJCWvOEYnamLICIRZVnqkdAlC8MYmPPaYzXJ4lnDjhyAuSwTTMJP-6_lRiLBq1r2-bLqMz7HwBG59bSqwqGdbFOi-1JNtwVCS-N0SWMktmFi04KgDG1BGjInfdn9XxFpCoLSpUmv12_6IOXJkA0Q1H7Toj2q3He6P3TfTnkDxJFCyrej1ruWuZrnH7D4vdH-_Oe0vqLnrPQ8uxYdvCWABRJHpV14iq6qNPtPMTpxvnMiKAfon343DwBm3k9U8tV99XwsUtIyVbJOWnNZDk5I3mZD88AwyqVJwEdQaRLgvq-Y20rZmU28JRg-l6k_HnvSsX6c2an-6eGTZoo9cXnvzPxHyJg0btfI7Lj9XIrOtpwslQ1sfpfIR-BcTtScolONOITl2XhkB8za3CVLdnwl1GVl_s-nMjpOFkGigeoYJUwKjl4BezhIAbiY9n2oLJOvw6eKBWiVCUPpknkKSIlhkeC5AODwG3D-8G5tBBT4fQjwjSGF-hCfS_3Tk8KuJbEXM1iK3Rg2GshoipcroaJSL3Jn1BJzgjzITZrjg63_LlngmBdDFZMMpMGez1vTU0lq5Zl5ABJgCPgxdOxn5gKBNoViPuMzkRBf0Gj

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133508777099282042"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
4696	chrome.exe
4696	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 3740	1224	chrome.exe	85
PID 1224 wrote to memory of 3740	1224	chrome.exe	85
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 1588	1224	chrome.exe	87
PID 1224 wrote to memory of 2984	1224	chrome.exe	89
PID 1224 wrote to memory of 2984	1224	chrome.exe	89
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88
PID 1224 wrote to memory of 3720	1224	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://rtb-us-east.linkedin.com/lax/clk?trk=CwEAAAGNTWXNjoNdtBWOKoDPikJOs4TeJUfMn27vYyuj_WDulcLRSSh6ZYb-pomeyd4l0SFXCKFJX9FPkxtIcvFabF6V0AXPG5WoKQaKRMRhhPa7dPCSBWINcttkMNQ-OCJfN_gzofwtt1TCHCcXPmb1MJpPC56Z5n9MrnbN8cTgQdhP2QD-cOLgX64rWAriZKuLUK-4HOvVA3RF3t1ORjVOOHXoBaCdnlZljdUD9Oo4l1dwlEoVa_PPIE4GRndWToETpEmdlRAmVhHUqHcdF9g3RKLaLNQuaWay-gOsYOz73A8lCYY1Daq7cXJuSoTvpOGDM6ahvI-gvE-SOw39KnSndYNM2bpQKhILkzEX36LadpQEvJoe6Fb6kPLyb-WFBwZz6XDxRRt8ezXHVIcG4aLU0OQdqrB2PHVnVz3QLy-6uwJh2vEiXW2Sb3KecmR0c9NjFkWzF9JIL7wlQJz2J-WRZfUWmbJzXZKkG2Ii-pGnXy3Spe2qPGPUxXcuFy-VJLA8bhCq0ZL8QMrvYQZVhekkRwwts1ECH_XEuscU2aqvan6Bv9WBPhRW-9-tjsKnScwv5qThl1nau2tB2-xFWg9Zyz8W0sQV1RuE-4EoVtcdm_KZXVWxL5tNv2MuKm0A1aeNQmi_R-6EGAsYbCMZcDLQLXlKEC8cXx-Rg1_Sasxbh7v9qC9f82eaDgqji7W_UF3rolkXcJ0x-H4L0Ue10FR47vXmoGnOUhdQSItiK62bdSZsNpGOdwde4mdf-FcPTWK9ZnHGdNG5VorhZrmcJo3v_ZVT3jxTUtttQ77MV-GZGLetVzv1bMSTzgmwUsIB9CdjHC_DfSsoTFNkoKRjlBLrztIQSR9_XA3LvqK-nxJCWvOEYnamLICIRZVnqkdAlC8MYmPPaYzXJ4lnDjhyAuSwTTMJP-6_lRiLBq1r2-bLqMz7HwBG59bSqwqGdbFOi-1JNtwVCS-N0SWMktmFi04KgDG1BGjInfdn9XxFpCoLSpUmv12_6IOXJkA0Q1H7Toj2q3He6P3TfTnkDxJFCyrej1ruWuZrnH7D4vdH-_Oe0vqLnrPQ8uxYdvCWABRJHpV14iq6qNPtPMTpxvnMiKAfon343DwBm3k9U8tV99XwsUtIyVbJOWnNZDk5I3mZD88AwyqVJwEdQaRLgvq-Y20rZmU28JRg-l6k_HnvSsX6c2an-6eGTZoo9cXnvzPxHyJg0btfI7Lj9XIrOtpwslQ1sfpfIR-BcTtScolONOITl2XhkB8za3CVLdnwl1GVl_s-nMjpOFkGigeoYJUwKjl4BezhIAbiY9n2oLJOvw6eKBWiVCUPpknkKSIlhkeC5AODwG3D-8G5tBBT4fQjwjSGF-hCfS_3Tk8KuJbEXM1iK3Rg2GshoipcroaJSL3Jn1BJzgjzITZrjg63_LlngmBdDFZMMpMGez1vTU0lq5Zl5ABJgCPgxdOxn5gKBNoViPuMzkRBf0Gj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbda1e9758,0x7ffbda1e9768,0x7ffbda1e9778
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:2
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3808 --field-trial-handle=1848,i,17120368406309228026,9838917071847855401,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
24KB

MD5
b2ccd167c908a44e1dd69df79382286a

SHA1
d9349f1bdcf3c1556cd77ae1f0029475596342aa

SHA256
19b079c09197fba68d021fa3ba394ec91703909ffd237efa3eb9a2bca13148ec

SHA512
a95feb4454f74d54157e69d1491836655f2fee7991f0f258587e80014f11e2898d466a6d57a574f59f6e155872218829a1a3dc1ad5f078b486e594e08f5a6f8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
46KB

MD5
f5a69fcd470ed30bfd2a67f68ff8ddae

SHA1
639a4eae6fc93cda2d1a64ce2f035ebd1b320890

SHA256
b51a455654e77206293b479b87872cc64264df9924b48bf388f51b0c584432d4

SHA512
3189af38fd3c6de3860fe8f6d11305acb4b1e72ae16e33e1dd822d8311d61670c6d419285abcd799bf6f6be4d74e53d54cf243110828cf23bd5270d787109da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
0e8398fdde4f1b45539af807fa0e59ae

SHA1
3d9f6341b13db125b67c4196ba2bcd5b6881b39f

SHA256
f507a3a6b9f835a84b1509fdce844410ea4e0a115b16c0abd26d571426715416

SHA512
000ea3c4ca51b68cfe2f61b2e46be159a621b0548b2febf94ba9bdd032e55c4c57a1a0537394307b4f701a63fa759a4b6f09f47d85106edbbe73fe35d2dc2373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
de5492add447b66d827abe55d57a79f5

SHA1
081d9b6d4eff827b409ab312564992ca6277d022

SHA256
09b6ef278c1d5f044270323d4bf531849579e2c27b0d4f56231b83c35839673e

SHA512
88067c7d71f7a144282e566a905f37490adecf36dca8b9060ef14d13c4f90f1fd0c756b6f6a7ef912e9c7f81b1444d09b1561f54ad425863daa09acfc04d7ed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
59a5002f76e55d957ebd0c189939e9b1

SHA1
dc40db8a7e8bba5e3eeb66d990da9fb151276552

SHA256
33655ce254c0d71732ee36525703dac9014b9fb9de96ffb8f7180461fb6598bf

SHA512
8b11398b550a7520a76a0eac015f283671d16a9d56584dbad9e96444be8ce02707777d91f47f6987254ebf9424e80531b0a83f7773e4e8eddb14248efe55cacf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9815b7992a7dc09127efa07308157dec

SHA1
85537ee9fc76ecb796a8c2581c019b0d660bd80b

SHA256
0314dc2dd964bbb7f15188f35a0eebf93706b783b2174b550ddb14f7e1a395aa

SHA512
32a27b6c8727f463910bf0fc3ee0b7759e1d50ede2945822ed2827b85b73cf5dd5e4edfda96f3b8efe44d36e8a02c1694205c39a7b869d064813e67e2e05765d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
930ab9b7fa96197d5e7bb64dc3dd4514

SHA1
210cf33ecd74344107101b95b3aeb340aae33dbe

SHA256
55e2732ea905b533bafcea9a20ccc692d9516e110679e577705eb461da1a3231

SHA512
da7d52196cf4443e8f5722cae1dc4f81dad44c10015003e878a7e20977a1d501d022d097dccb9936945c1d6f80d88d090e749fdd02525499efef83ced20afab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit