hxxps://groups[.]google[.]com/d/forum/geek-squad-customer-support9486dwoh

Analysis

max time kernel
301s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://groups.google.com/d/forum/geek-squad-customer-support9486dwoh

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133359114626256446"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
1052	chrome.exe
1052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3812	3364	chrome.exe	80
PID 3364 wrote to memory of 3812	3364	chrome.exe	80
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 2548	3364	chrome.exe	82
PID 3364 wrote to memory of 3592	3364	chrome.exe	83
PID 3364 wrote to memory of 3592	3364	chrome.exe	83
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84
PID 3364 wrote to memory of 2180	3364	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://groups.google.com/d/forum/geek-squad-customer-support9486dwoh
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9044e9758,0x7ff9044e9768,0x7ff9044e9778
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:1
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4888 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:1
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:8
  2⤵
  PID:732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=404,i,16194786077665424146,14290467264103558769,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5f5a8d5a-f275-4ede-8759-eb66852c17ef.tmp

Filesize
87KB

MD5
b24e57d107000de47fa9d8730b8301ff

SHA1
ea615441c32ddd1f7e5ee80ae729409b1eba5204

SHA256
534150bc4112ac1817f6bb2e12b40b870fc489ecaaaa3ab5f853463ebe974d69

SHA512
6e26680c44db1559e6199e4725a334b3864727e270b38868bb2a5f78528e201fd065a538c034fa2cc1520c7fa38ef39a7b2572cb1828bc4ce251e8ceab60b0d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
3b23bff4906fa6b8b2226c32a4b87711

SHA1
b9f6d85da2c47469edf670f2dadc2e25541b4215

SHA256
1807222241f7e577e7e5796f691678428e002febbaaf9a81967be71fc23595d4

SHA512
c6e9c1f79d091fccf83f0d8c0b6de9e26478339a57ee7b560359010d78a7526b0fcbbd71d30dad98c6ac43a279f742b6669c153af6b87e5553d0eeefd06a52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f2c098b1d114a511982619525198d464

SHA1
3c9a76c371ad00dd864e5bd70fa80771a6730a3f

SHA256
e1a979fd2ad6395ed1e9153a90394051591d2abc1b19de991994290a2580968d

SHA512
c07a8a3f747652042bd97cde27a138cb1a9736578fbbde6c8fa3b4638168d0f3db4759940f5a57dfef7e63eea3a7cb92b83e288e7c6f359302b71e522c22dd8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5571c445ac0763dd54ffb4f0914b21d3

SHA1
2d88aef1d1ab19516c7e6d56566289a912c72fbd

SHA256
635f867bb630cec524f9cc40a914f4e95d808be07e4e43b2e4e7b739004bdbd4

SHA512
a6552fe078b0b419b60cb7dea6d065599bd70ecdb6109155977bd294a47e88778de2c6a16c56f73b8fdf8c09c25515765ceead6529591cc242613feb4c77d4c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
160b7243310b76e3e6ffb916d1ba884d

SHA1
f3db5e80c10204715d68db6208e6ce004d8dcb93

SHA256
6e73a03586e36cc7f566a7d101360c5ac5441ac3231f7e9d55326681db4cf67e

SHA512
2daa3102ae69d465897e1d13caeb32d68de6f068e10604f50176f467f758555712dd1c5b7f11fa05d000ed7cce4bcdcffe125258b0ae1bf87b19898438dcdb98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
10edeafcae49aceb6a81e92df76b0f43

SHA1
3aff5ac1f6560cd5ccf18eb409ef60d9d9f76b17

SHA256
65dfc33be500b61624d4135dde3967ef868343f164bd036035c886531698d773

SHA512
c55e018365b94894271ef2426ddbe6b2b98c6764459f363fd3fae871da28880eb082315ddca68e7fb18f3ff68ab1dc8bb4107d520258af0c8a74dafc8a05aaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aa4a145051c0da5c373bcfb6b9a6d4a7

SHA1
d801600011373bb419194dca56e62ccd8748fde5

SHA256
a0df273d50869dfff87cacf9507b70374990a6ebe1fdd7fa5bf835f3941344d9

SHA512
6e7d0dfe4312bdf0ef3f4242dd0056252a9b0b9ec0cfb1d03c815a652a9ca9c1ecbfbb8e910fb4b957d7922ed4d19c2037de8d17b61b5d268471150c0e911585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7f5335ffe9bcfddbe5ddffeefe17a1f2

SHA1
4bbfc54615bdc73614743e851eb581929d234a83

SHA256
587d1ea5e835911c5370428568c55ecd911c77f2a32be511fb738d44015a4107

SHA512
0be605d69119d39e68c81e659e90fcad4b245bda149a9e85f5cc0e96203ad8aff99f6f6e575f2c2c4a8b7b4f1d935f19be9ca99756406157e17267927cb9b511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit