hxxps://a1f5d8pmya33vbl0ed[.]rujba[.]co[.]in/l2/chrs/index[.]php?lpkey=17fd10f9195e10af05&lddomain=rujba[.]co[.]in&pbid=4531&t1=ALL&t2=chrs&t3=1649&t4=348507&t5=884086942&clickid=a1f5d8pmya33vbl0ed&language=en-GB&uclick=8pmya33vbl&uclickhash=8pmya33vbl-8pmya33vbl-us9l-usdz-h9qn-e2a0-bgft-589199

Analysis

max time kernel
132s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://a1f5d8pmya33vbl0ed.rujba.co.in/l2/chrs/index.php?lpkey=17fd10f9195e10af05&lddomain=rujba.co.in&pbid=4531&t1=ALL&t2=chrs&t3=1649&t4=348507&t5=884086942&clickid=a1f5d8pmya33vbl0ed&language=en-GB&uclick=8pmya33vbl&uclickhash=8pmya33vbl-8pmya33vbl-us9l-usdz-h9qn-e2a0-bgft-589199

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133546646957205356"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
3192	msedge.exe
3192	msedge.exe
4952	identity_helper.exe
4952	identity_helper.exe
1936	chrome.exe
1936	chrome.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
1936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4164	3192	msedge.exe	89
PID 3192 wrote to memory of 4164	3192	msedge.exe	89
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3128	3192	msedge.exe	92
PID 3192 wrote to memory of 3396	3192	msedge.exe	93
PID 3192 wrote to memory of 3396	3192	msedge.exe	93
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94
PID 3192 wrote to memory of 864	3192	msedge.exe	94

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://a1f5d8pmya33vbl0ed.rujba.co.in/l2/chrs/index.php?lpkey=17fd10f9195e10af05&lddomain=rujba.co.in&pbid=4531&t1=ALL&t2=chrs&t3=1649&t4=348507&t5=884086942&clickid=a1f5d8pmya33vbl0ed&language=en-GB&uclick=8pmya33vbl&uclickhash=8pmya33vbl-8pmya33vbl-us9l-usdz-h9qn-e2a0-bgft-589199
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd796c46f8,0x7ffd796c4708,0x7ffd796c4718
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2368 /prefetch:2
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2352,14234070438146705668,9864451018214555357,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd68d69758,0x7ffd68d69768,0x7ffd68d69778
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:2
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:8
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4044 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4704 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3008 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:8
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:8
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5216 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5392 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4780 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4760 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4800 --field-trial-handle=2020,i,14146821307063491184,8096713401234017865,131072 /prefetch:1
  2⤵
  PID:4076

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
94KB

MD5
7befc62a5d7e5575675697109c392b9a

SHA1
377cdf64d0a4832cc269027b9c839d18b4854e8e

SHA256
f870401ea0628bae1dad9fe1144b0022eb29b2023a4f4e04f9ce964bb3879875

SHA512
e0a967eca70857a88595c35e8e1afc4383af47251dc5b6046b95ecd45f92172848cd995ede8433f68ae97dbe5d651b747cd7fda1c467d4251f988e8738248619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b135b0a9c6cd831d881065a32089c6e0

SHA1
d70b0060a7c6c48c3b7f1d38598cf440aaa382c1

SHA256
c206d4b9d6812ef3d53390d3164d2158948e70a8e762d254478199bca9e57a5d

SHA512
b8866890288f8396fbdf5b3bb67650109aa305c991fb6c9b46cae0ea38c5df82515b32a21870d5ec35b328fbd5bf3c1910cd4b218a4d46d64911ead5b64035b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
09642324d6c735797385da0baeebdfe8

SHA1
de16a1d1d4b03eba4d4675cfe22b33505fa57b31

SHA256
4fc6f26c708f40ac1efb83dfd9d9a0d9bcd53f859502d0e69bb02c40b82d286b

SHA512
16b7db5f6d20d2ccc5825726b4042661f64327a3cd532de1447944d975fb3ad876837fe61415c0917a186f53b6d41579a45dc567d916453dc7904f5bfc071c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
69cf5447e36e98bf9588b5ac7f2eaa6c

SHA1
7fdf5144b1661c7735fb0a224bff20cffae4451d

SHA256
2f9a4a3ec12be9f9229321433c120bf9d9da87007a057b34e711a511c3f61276

SHA512
23d4c51c4f464e892e2cfdc56afbf11aa20949161ead3ec7f4cc04eb4bf6522888c5696bd0ed12b55bd38d99056f2c17430e778d9c14fa24919506a25b423257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e5199c50ec7f96ca25b90d4be157593d

SHA1
3728ad0a243e8fd9992dde379f18ff862b0903a5

SHA256
b9389b6712f35f6988148c2ddb26c0017ff0fc35699454a7592551466d44f340

SHA512
09c5cfcec033647cd749ace503273e805d4fd0ceae62a3e33f9c3d5b371090d419c58faa27cbeb4e7bb47f3fc6af9409d104d1bcf89c70885a31b11557f029a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bb28584e86be146715a954ad4887293c

SHA1
ad3f1285dfa77c23ee44bd9fa09f716abae785eb

SHA256
d9429a6066c430252c001fc53d5e679d1c3c2a2e301b7b9fd5eff99732caf8be

SHA512
c4b4e2fbee83a3f8db74509886611d63ccbf17ff4f15ab940892448be3df9381168a785e87366e0c0f5b59f6a09fb5ead545fdfa12df90d081582a0d4c5f9b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e6bfdc7fee3b50fe23d0751b72d1172b

SHA1
8dc41d4a11d827eda3b388920501ad90abbab576

SHA256
b80bc1030904af722d0de30a412e839a72b819baac8ef70df8d46c5eefb9ff57

SHA512
9f03ed79b5ff86ebf162329fce9725bde2f99573233575ec0058c9f3fd3ca80f6430fa40eda045f466e65fdfa19bae0c236a02e410aa106680fde11ad3eb45bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
8edbe80d28ba1b528fdcca7dcec6243a

SHA1
48ade06d1fb2bd5a0739429b4cca003b403930db

SHA256
662f0911e9e0250ca3d78cd3713a6c058a6f796d1e3b37b1909901757a08e987

SHA512
b9febaae30d66e6e0d50506f5df76d97ae6d43eb681765f9a42782c088d148e6a5722f68c0bd9ac99396a097c09032efeb4bda10a35d0ad37f5f316e50e19c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
54KB

MD5
6985d6c2a0b95c0eaa9d7b63fea86a3f

SHA1
0f95ae90cadbbb0397e17018af0ba17ef4581d0d

SHA256
168b3c5292522e60385831afd588f6f514abd09bd982f2c7eb7ac44e9486112b

SHA512
8194b45d713f4f361667b6eb128ce71320cc5fe7f3d57b3bab111618449721c969a8db12721d1ea6b13ed7a7be72b33034453d988a71b8f6346e04a1f3cd44ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5966af.TMP

Filesize
97KB

MD5
fd9765691e5cb34246898a42dcc1cefd

SHA1
5d381e948a46d731718b2adf5790a61228e4d424

SHA256
016f1ac5ea81966a714c6e5cc79f545047ef92e25d140807a434aa945980beaa

SHA512
88701a9ed69591aacbf92885e9d3b4e7420ec14866027e9ca5c4551f8da4994c5583053e7fcd0faa630ce82d2cb8a68051653ab9fe6c6fb2f3f17be72e794475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
487B

MD5
9e7fad6ca07d92ed0feb75513fbea4db

SHA1
cacd25b86ec2d1b0770d6c91ccc21726f3e55fa1

SHA256
cc37cc913e368e0b9d3c21893d3c7afac499976f9e7d68496c183fe4bb766b72

SHA512
4965add256a1796ab4563cc2fb9d096306b00cb78cad0f8a64e268bf7a324e2494e59da694ba149c9bb65b5573112f3743b9da092ce5e1a0336e1817d4573447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87c35a5cf6ce0f3b6162c4aca31ef5d3

SHA1
5ae1d7b5c3a558d320b2ef7771e55bc157e07cbf

SHA256
02590ab39ed9ea17d3b6e650ba1de86b4cb65a3e39ca5885615a0d3f06289fa8

SHA512
18bdde4004387efec75bb05a784164e3bbeb0efb5d93955da2c32d80ae91ed8d3c7c777320cf0c7d063ba57cd1790ea0965a921d7b5e6373d1c2c1b0ef82c0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
580d525e2bc19d15b53af161325d3980

SHA1
88e095a0424ad8adedeb4f171737933552cff9f3

SHA256
79e5ba52c6f3a6b23f6afa03da6b43f2d4e8771a1009b86e08aca45bdeb244ce

SHA512
664ded970f2e2dd2f2149339a9b98f3afb1ec1227a00469c9c908f58ed4aaf53f4d7dfeb2ab5d0d75cb31c495bfbd554e77fe7699ca569827f133cba7facb1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecaef08b322b49f24a5cdbd9bcd86661

SHA1
65c5c6281bc56a8187a32f75ebd594736f2683c1

SHA256
36eaa343df39b2f876c7868a3cf338b9c5064b31ebf1965cd037d1e30593cead

SHA512
2742b30114d0fd30969563d0af5bc6f5691a1cc7ac74c67feddfa1db18b6a8dda74209942a69a702f310244f1603068d8d575d442cfb982feda530d744883565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00f861431aee7ebb1d3c55277d893b64

SHA1
098b1a4c69e4e40388a62e7d1e895c7eed647848

SHA256
ebceab9a0c08ba30e4d2a78aec804c5b9c07774155b4cdc3f4cbb5f2fd1c9b3d

SHA512
2f06b607fdb6a4f4cd218fbd6e495f2a52cc6ae7c1d02f8c890a5eae55b8c395dda8a0b29d818b0b61d41bdfe64bca84a370179f1341c937821d2f6c8d1b13aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8905a5de83eb3394a4ba520294d65aa3

SHA1
669afdd42d94e4aad19bd74028ace13cb196eb62

SHA256
0f2faf950e485aed216bfffa17176cd71a77bf084a4db33d2f83da4fa4528274

SHA512
103375cabe843d1f9a49843999ebff47736314779a848c6f975140149a1672fef71864d1d1d2c4f47798554d3a2ab6039bc832d7dad95bca74e604a8026de60e

Download Submit