hxxp://mail-oo1-f59[.]google[.]com

Analysis

max time kernel
149s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
07/08/2023, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mail-oo1-f59.google.com

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133358780223633229"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4692	chrome.exe
4692	chrome.exe
3716	chrome.exe
3716	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe
Token: SeShutdownPrivilege	4692	chrome.exe
Token: SeCreatePagefilePrivilege	4692	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3944	4692	chrome.exe	70
PID 4692 wrote to memory of 3944	4692	chrome.exe	70
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3640	4692	chrome.exe	73
PID 4692 wrote to memory of 3984	4692	chrome.exe	72
PID 4692 wrote to memory of 3984	4692	chrome.exe	72
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74
PID 4692 wrote to memory of 4468	4692	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mail-oo1-f59.google.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd034f9758,0x7ffd034f9768,0x7ffd034f9778
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:2
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2760 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2728 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4488 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:1
  2⤵
  PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3176 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4960 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3948 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4768 --field-trial-handle=1800,i,3658313429959580873,10035870440079611208,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6d116b0565face1afb32331d39b30978

SHA1
99a11026549f7f5a44f22a8e9ffe60bb8b15e768

SHA256
4407c673a45f60833d0b9848e845127e3ad3aac605caef0a088d58d1d1ab445e

SHA512
1f7c713cbc06349f7f7197d009d164ae02856b894b26605bc5a320ee23f95817288ea55ae013632eba629741ae5184ec71c6a46460d69c8a142ea9baff9bb7dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e6053dcb4b291db515f0123fe63f546e

SHA1
6b618e68ecd17ba1e6d5b7a1f58f9ee1804d74fb

SHA256
567c1b461bb6557cdc2bf079f9ccdedc4cd35dd4cadd830c47e69fa6d0603b4a

SHA512
bd2ab94d6ee7b0944ef2456124cc0df5b33cdf7a738b68a18a048b467994fbc0401e39dfbcf6f8c425a927980b81b151874874ad5b2372f894d94f0082a92d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
326d6d26bc7d81487d7a5965ac370a70

SHA1
2125f60075320f877017e7caefa3eecceac9236f

SHA256
9f4388e8b716a28517cfb9491d4f03171d668be215c1764bafacbfc62b11d57a

SHA512
8919b81e740a5dd1f60e2d6efbd231016c1b816f3ef15506f1d6f4f45f3969ae5618f06acb00eed70718fd3cfe5065bfbc8d300f78710a869ff371ee344892be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
e0127641f5d25197d167cdbb610ca8f1

SHA1
886f50ec976019737bd9b7c901017a20d1e9dae1

SHA256
0709ed0c2754741ff73422b2966b8992357259b315b27b6d3e4a030ad80a22cb

SHA512
f3a162ced0ec7a454fc685c949ebf126aa9159ed5a397cfed8a7b2618afffaef3a9bffd68015a35da8816c8a3b469a245e7a2aa8ed635b5c914abfeeaa281a03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
997eca18236f85b1555602b7f86bf99e

SHA1
a4b14436470b295dd9e21d5895aaed1ea951865a

SHA256
7db44924fcbc12952ed74662718947daaef7eef8f067d3b3110f4e0c4f691fd9

SHA512
ade518c959bf9fadf391863b1b4d06576d42a3d549b27edf042217308d7690b317975ae11dd5919298d40342c254c038dca3efaae02ce264adaf36065d57ad4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59797c.TMP

Filesize
91KB

MD5
43fc9cbb64a825325b867b21a0bf74cf

SHA1
cda42f70d981862c472e83ed649636ab2340ef31

SHA256
69ca7c75a557f5bf13b19c67c6c5be645b01e08da411bfeaefc3154133492506

SHA512
92e5b218cdc4e5d5220544cc9e02bd4d9547c628f456d793ea91bfe5d6d2b25f59a54f5232a5cd21f95ed9fec365278521ba5691df1c6820648844b4a0cbda96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit