hxxps://outlook[.]office365[.]com/Encryption/retrieve[.]ashx?recipientemailaddress=allison[.]clark%40eastgeorgiaregional[.]com&senderemailaddress=Natalie[.]Valentine%40CBTRCO[.]com&senderorganization=AwGAAAAAAnwAAAADAQAAAM%2bQtz6t2DVNlrG7Cu7gXi1PVT1DQlRSQ09jb20ub25taWNyb3NvZnQuY29tLE9VPU1pY3Jvc29mdCBFeGNoYW5nZSBIb3N0ZWQgT3JnYW5pemF0aW9ucyxEQz1OQU1QUjA2QTAwNyxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NywWI2fDrPUmd9VKdiQBYUENOPUNvbmZpZ3VyYXRpb24sQ049Q0JUUkNPY29tLm9ubWljcm9zb2Z0LmNvbSxDTj1Db25maWd1cmF0aW9uVW5pdHMsREM9TkFNUFIwNkEwMDcsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTQE%3d&messageid=%3cDM8P221MB04568D64D93C01BA1232C80E8CBC9%40DM8P221MB0456[.]NAMP221[.]PROD[.]OUTLOOK[.]COM%3e&cfmRecipient=SystemMailbox%7bD0E409A0-AF9B-4720-92FE-AAC869B0D201%7d%40CBTRCOcom[.]onmicrosoft[.]com&consumerEncryption=false&senderorgid=10e46e02-4d52-4857-88a1-6b9426904d0c&urldecoded=1&e4e_sdata=VggpbxKUI0x9mttAl13yzHClW5oqjc0s3wdc6SFGSGyRTrSlcp7G82hthKVij7NK9u01%2fo%2fBxTuJfGk3ryPNnvQ6OkKh5KkWexjT5466fzwN1MWK7vBGvRopHSGOwA7SYdocc1YLG2KHy5wGcYhkSFZXS7NNeguXy0YXr%2bO5cxK8jbyl5PvoR6Quwg2hTTV7Ipp5e%2bfpr8dko71b7QkQND1mNOx%2flzYdAawPEOMZqMipJiF%2f4%2bvfJKJ8l8%2f%2bdbEa2XvX3WokUNMVAQRe5iWzmbpSXYSM4fgA9zyrozrW%2fINgnCUtw2rqd%2fNL0OyTmZbxFVjvZ%2bqgGgBSnMj0Ap0WIQ%3d%3d

Analysis

max time kernel
247s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=allison.clark%40eastgeorgiaregional.com&senderemailaddress=Natalie.Valentine%40CBTRCO.com&senderorganization=AwGAAAAAAnwAAAADAQAAAM%2bQtz6t2DVNlrG7Cu7gXi1PVT1DQlRSQ09jb20ub25taWNyb3NvZnQuY29tLE9VPU1pY3Jvc29mdCBFeGNoYW5nZSBIb3N0ZWQgT3JnYW5pemF0aW9ucyxEQz1OQU1QUjA2QTAwNyxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NywWI2fDrPUmd9VKdiQBYUENOPUNvbmZpZ3VyYXRpb24sQ049Q0JUUkNPY29tLm9ubWljcm9zb2Z0LmNvbSxDTj1Db25maWd1cmF0aW9uVW5pdHMsREM9TkFNUFIwNkEwMDcsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTQE%3d&messageid=%3cDM8P221MB04568D64D93C01BA1232C80E8CBC9%40DM8P221MB0456.NAMP221.PROD.OUTLOOK.COM%3e&cfmRecipient=SystemMailbox%7bD0E409A0-AF9B-4720-92FE-AAC869B0D201%7d%40CBTRCOcom.onmicrosoft.com&consumerEncryption=false&senderorgid=10e46e02-4d52-4857-88a1-6b9426904d0c&urldecoded=1&e4e_sdata=VggpbxKUI0x9mttAl13yzHClW5oqjc0s3wdc6SFGSGyRTrSlcp7G82hthKVij7NK9u01%2fo%2fBxTuJfGk3ryPNnvQ6OkKh5KkWexjT5466fzwN1MWK7vBGvRopHSGOwA7SYdocc1YLG2KHy5wGcYhkSFZXS7NNeguXy0YXr%2bO5cxK8jbyl5PvoR6Quwg2hTTV7Ipp5e%2bfpr8dko71b7QkQND1mNOx%2flzYdAawPEOMZqMipJiF%2f4%2bvfJKJ8l8%2f%2bdbEa2XvX3WokUNMVAQRe5iWzmbpSXYSM4fgA9zyrozrW%2fINgnCUtw2rqd%2fNL0OyTmZbxFVjvZ%2bqgGgBSnMj0Ap0WIQ%3d%3d

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133235483567324281"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2968 chrome.exe
2968 chrome.exe
2920 chrome.exe
2920 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2968 chrome.exe
2968 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2968 wrote to memory of 2268	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 2268	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 1204	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 456	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 456	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3468	2968	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=allison.clark%40eastgeorgiaregional.com&senderemailaddress=Natalie.Valentine%40CBTRCO.com&senderorganization=AwGAAAAAAnwAAAADAQAAAM%2bQtz6t2DVNlrG7Cu7gXi1PVT1DQlRSQ09jb20ub25taWNyb3NvZnQuY29tLE9VPU1pY3Jvc29mdCBFeGNoYW5nZSBIb3N0ZWQgT3JnYW5pemF0aW9ucyxEQz1OQU1QUjA2QTAwNyxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NywWI2fDrPUmd9VKdiQBYUENOPUNvbmZpZ3VyYXRpb24sQ049Q0JUUkNPY29tLm9ubWljcm9zb2Z0LmNvbSxDTj1Db25maWd1cmF0aW9uVW5pdHMsREM9TkFNUFIwNkEwMDcsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTQE%3d&messageid=%3cDM8P221MB04568D64D93C01BA1232C80E8CBC9%40DM8P221MB0456.NAMP221.PROD.OUTLOOK.COM%3e&cfmRecipient=SystemMailbox%7bD0E409A0-AF9B-4720-92FE-AAC869B0D201%7d%40CBTRCOcom.onmicrosoft.com&consumerEncryption=false&senderorgid=10e46e02-4d52-4857-88a1-6b9426904d0c&urldecoded=1&e4e_sdata=VggpbxKUI0x9mttAl13yzHClW5oqjc0s3wdc6SFGSGyRTrSlcp7G82hthKVij7NK9u01%2fo%2fBxTuJfGk3ryPNnvQ6OkKh5KkWexjT5466fzwN1MWK7vBGvRopHSGOwA7SYdocc1YLG2KHy5wGcYhkSFZXS7NNeguXy0YXr%2bO5cxK8jbyl5PvoR6Quwg2hTTV7Ipp5e%2bfpr8dko71b7QkQND1mNOx%2flzYdAawPEOMZqMipJiF%2f4%2bvfJKJ8l8%2f%2bdbEa2XvX3WokUNMVAQRe5iWzmbpSXYSM4fgA9zyrozrW%2fINgnCUtw2rqd%2fNL0OyTmZbxFVjvZ%2bqgGgBSnMj0Ap0WIQ%3d%3d
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff900199758,0x7ff900199768,0x7ff900199778
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:2
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:8
2⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:8
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:1
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:1
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:8
2⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3860 --field-trial-handle=1816,i,2278860323327721078,8538478271164495488,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0a991e8bb0401e2e55cc832211a1ea75

SHA1
0e931894ae53f656c0975ae6c45593c895827e14

SHA256
f72d04b339a1479fb3a2759d61a2cefaa7a29a5017c98ab0934e5bc841f6b226

SHA512
bafb3982df3b98afbb48b85da0439372bf538388fd3ad27c561d09d97c7b3a96717e537389ef75f13cb4e30485a40f122b89683636fd79f4fe17263aa6bd195b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
d292653f16ac4551450d0687ba0396c7

SHA1
abec9665473ab31e498a809ba4a147605742d953

SHA256
9aff0ecbe24f4509ad1dff55254480caac756363ffaa0adcec56bfe0c279e9f0

SHA512
bb9a6ebb949b657ce6bce8f7c2e13027fa4fb13a7e80e1272534ac4e46ae2f006f74389588f01746b9940cd48207014553c6e3329d2443a2521d0009f5ee357b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
bd46b87eef5860b9bd75a71e8bea3131

SHA1
9e24688d64df6824f8aec789b0b4b172ae9d661a

SHA256
6672eaad079bced1228a8c96443f9aff9e18d45522e98a614b2e59b6b2a0c6a2

SHA512
846e21df7e7abfb83d9b56ea8284c8468b5c87687de16ea1bd15abf309fa112fd587e22f67b786f0a61dc718608ef08447a9bce619e736b1f6ce073a418c4f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
0d57365ae6730b2cc033732832d36549

SHA1
f6c75b5e12381fcebc6890feb9808d8a6e73ad95

SHA256
484555b5315b626e68a85e39eebe2d1479101f90071cbbaebf216717a68e3b63

SHA512
bae0e7a922cd8e3b32f342dd58017e63e32af5bcadd7a810682f96368e4b7945994e21401d256116eef6eae365788f12874e2e2fab1dd9604611cfaabb1faff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c5155cf1940c009ef1286fd6052de590

SHA1
dc0685d1e0eb60b5d15d179d69eae91857392354

SHA256
73351b619180f14820f8e53d4083aa71781640701a691de53324b1ff37562bde

SHA512
e57a16778cdb02b4146b387c3b9689bcd12cc384947666754e32bbdaf9179fdc7e596d7f4dce3e9eeb13a3db079b55b2d2e389ba63d4709fdf264e14d93b9c49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0a03ef69c0bed2089f12a5fb5ed2cbfa

SHA1
2dc11a454ca17bbf914a8eb3582fbe61bf1dd244

SHA256
aeff9022f156de5b82761b321a145b8b21fd6f6d916c2419e9fb53a0cf41a229

SHA512
a8f4548f56225015e092df26bb2d39385b6cacfd45a0389de39c2648fab10130118b5b51625451852141b665f3ab8d1215680f1f69d794601b6ae6ef4b69dbae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5f99e30447eb586e4c8e4e5c8c1c3348

SHA1
c643b3b284c5b4c17d9e4b4225a9707cdf1f3908

SHA256
9b718997f1744fd4ec4f9eb63ffce18a170b3fddf19459264b8efa08c6a5be51

SHA512
91e2251cd94e27ebe9f335e11a6d62a59609e4f235dbe5d7eb688703248c26d222e49e234b7cb592776dedb0ce5ed73b2887717b8b21371523810192331eb5ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
cb6be63095503b8cbb2cea494ee59dff

SHA1
7d13fe9f141d6149eea7b02aaee592df7d6c7ad1

SHA256
6846510c564e23b868dc944754fdc825060b99ceb9e1486dce1661e4585bc50b

SHA512
88356571b1d1ec9fbe47ed25f60b4c6f541ec21d24281bf0b2d5d1f274a84b92cd5fd46015e4e3931d7737a8990a6b7a5dc55a7de303d2adc9e331a471ba442e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
f584313ca67370286e67785d5c4bf01f

SHA1
be82b22b1f75a033c12e67b148e0931914cca22b

SHA256
4b764bcf4bfd88d71ad39c171497be8efe8a3a75e5506ba382befccb5f45a806

SHA512
75c608d15b48bd27fe99cdb1cb573869f3bdc67339b3f561b88bb5418812d112d09b5a9bc5f8547604d193731b115a433b048ebe6ee4a175eab46612f7e04d84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
534B

MD5
eb620eff5611a3911d3042169a0e607b

SHA1
5d8d881d385f098afacbdb84bb6686da194c1d0a

SHA256
ad32f4e715312dce6f9e3df2e7533bac16607837d53152ed9a5980f718dfa846

SHA512
8725112db3daa98db4d0c48af735bfbc5f3aba08d2bcc311f80896acd3e8ad61e4b02981079b020614df85389a5ed397eadd5fa936a414960b43b909e5b33b7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cdfed46366b2102fa3bc65356787bc23

SHA1
1d4e728e300991f89539a6ae999f1c9d1993f2f7

SHA256
f6b997e7b66e6004586e4778d9faf71eea10b7d3fe8481f662f5f7ade5f4f9b6

SHA512
95cf8e2aa6e1c4e4963f410d7d761e7f1549524c26438f0d07ff16808f5cad22a04606a27e9b5aad413df6a08478849aad117fa48b172b67faca0dc1d8a2e692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b32ad602356b8e7337078150b3c2cadb

SHA1
5c3128badad28e5818538d2a6063619d5f5e0632

SHA256
bfa1008e445c237c90e8ae98cb3e9d0e401cc223f704ecf251a7a5e6b53af1f2

SHA512
6291009bed8b35c85863974fdc89d9a49402b5bc580940634168cdda5e5935427819b8b34954c9e1927e6ad625475c97e603f763c3cb20ef23be744c08809e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
40c1716e28450efa127bb54ebfd5b081

SHA1
19a51a4f394d62a171f84efdfafac7840ec2a7a4

SHA256
cacd52f029ee8cb2eb727bec60d0f85e7469fa2e07b14df344895c4296c1f981

SHA512
9fda7f0654521a1da7b7078ffc04ae79e4418ef37a9634d2d9f428dd9f09965b75d5a4fe878d330f541fd25cb7f67ad8110f5c15d7cdecca5ffc7d9b00731a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4efadd98bb3b7f7c9ad19a1c473624fe

SHA1
1a509721baa22264fc6754a2c160300fcf4de7c5

SHA256
f0fcfba8de6f57ae11b70890159516b59a2d632571c210c2f7dc73ff47af9362

SHA512
5feba4a690e759ca7482f7ebfe0f2a0f25c93c1c57e642359e5b3b2c1f078f9621469157f92dceafb9fda706ccd534345848e405722c92d754e76eb7ea384a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1e91b19160a66203e2aca7bf382349d4

SHA1
49fb12cea4e6d1aaed45ba50a576b8b532b42353

SHA256
b6ccbb939f4d971f746364adc9c3c13eba8e847bebdb4f7c6bbfcdd77ba2eafb

SHA512
5695259508cdc61f33ef9ee74ba3d5c0682f6ffbd11c05ba4e4c19508d7d5095c32f149f8699aba0eeb2abbb2f4a479f2ba4aa071d2cb7b1875cf7d1f653f3c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
2415dbf4df8337a9111aa55f0828ac89

SHA1
685029e3e581e1564b091345a318bb548e9b28a3

SHA256
e89539ffaad22df69efff21deac5aad3a92044f5f5bbdb71b8eff595d49e7f11

SHA512
e110b161d883eed740e7b1673aca0ba97fcd9389b495dc67280782660b3d09386aa4a547668ffce70b334860e5868d8b0edfd5b89f82198f55a14c27d7997973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
aa9759e90c05c57497245b975837f56b

SHA1
a43a4bc053f7d73f2c622c90d4dcd3ba57fee93e

SHA256
699804f3f9893b0ceddaa38d19d89bc492b0cc6b5a1aad25826b56ce100a472a

SHA512
4782045327f516f833faa6616c6b94399ff0bfd08d41bbb78ec3931126db045ce8ba9ca029e1c691cd1e05b44c5853def274378db68a2d47113dd138284e3a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2968_LRSBLODTVAXJDJVR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit