hxxps://docs[.]google[.]com/document/d/18q-Svvaf9j3_Z1ofNdgGNLCSHs5e-BJf/edit?usp=sharing&ouid=111083701336452803468&rtpof=true&sd=true

Analysis

max time kernel
300s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/document/d/18q-Svvaf9j3_Z1ofNdgGNLCSHs5e-BJf/edit?usp=sharing&ouid=111083701336452803468&rtpof=true&sd=true

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133366004644024625"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 3668	3308	chrome.exe	45
PID 3308 wrote to memory of 3668	3308	chrome.exe	45
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 384	3308	chrome.exe	83
PID 3308 wrote to memory of 4836	3308	chrome.exe	85
PID 3308 wrote to memory of 4836	3308	chrome.exe	85
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84
PID 3308 wrote to memory of 4248	3308	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/document/d/18q-Svvaf9j3_Z1ofNdgGNLCSHs5e-BJf/edit?usp=sharing&ouid=111083701336452803468&rtpof=true&sd=true
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd30489758,0x7ffd30489768,0x7ffd30489778
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2680 --field-trial-handle=1888,i,6164078104923573934,102919251930599887,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
6a82ffd3c0dde1501c8d036d9e65fe89

SHA1
df71a109867a04d4d11f2bfe28a93b723539aa4b

SHA256
d30c4b349858c909ded3f9c9bbcd9fd18445a6aa53e76a8b3f765a3e6507e073

SHA512
8943460651bc022716fa7e49d504d8a9a038e9c58dc3edca6ba9eb760a6ade4f46b00344bf7d85139f2e3921ce7f97690b673bd0de79dc2154f17ae05db7ac60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
9577f46e8f3667fff7ad60c407912273

SHA1
0a853fb28b2a326c87f3ed1c3c3480b65bc0f230

SHA256
ba597f1d02b3bebeaa782ae24f578a06067732cd306c57bb974bf4b76779d387

SHA512
870eb11c00c8b04efc1be87405ad5168cc7944d05d379aa36c316d59805e3a73e65cdefb9fea45febd5bca96a9a19cc6693c5ec2c2c7a6791ad5f5503db06c9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7b11e3507044a14f0054b6af0b46258f

SHA1
45256fb2be524815656ecf72ffba4752b38ef94d

SHA256
61edc6a4754e34c32adddeec2b7a947cb8b621429206c271faaaa8892d031bd8

SHA512
bd4d26af4672e34380892456202f5bc66d13765d99c3bdac44a43edef67ea63a70c6a75155906436797ee8f3207627c1bb978d69d9241039339429ca3f13a1e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4f10fb3daa2fa1857ec7ef2b0e172c55

SHA1
78a4c7013a818bc57b1eb558caeb392abcd06746

SHA256
b69ee2f9d3af6c6903ac72ae055f6b63ad8d3fc2948c978aded6123d288e3018

SHA512
3bb6a3c8ad55a4398c24768401cdeae1b413e714caaf30cb5362994aa505039b75791b2c823abee8427f2e6738043bc4dc37bf855a17ae505860d47f42e0385b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
49c4aed85751097ac6747838fc29e0cb

SHA1
0c144e254973ff120cf24bc6e98ad04438a84976

SHA256
b37c4029ea96e9e251b4707d9fd5f922d1e5baf81c4cddc3530f31952197fb54

SHA512
a4cb6651d0cb15f2b9efe034f9bc09a3dbfdc62ae96588c4c682b494c0f694cca4aff60acfefa0283c2de64128b272c8af0eb288a702a7cb1bdf250eac5a0506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
988b387f952cbaafdfcba917fbbce4ee

SHA1
6b9bef0d20206b2a59bee06a14032fdbf0cb5c3c

SHA256
db75771f3de7019c35f81dd512b2b4757c889c8feeb71024ab120778d7e646fa

SHA512
3e2a48c8e2f7f964b2cd457a2fd22067298af09844aea35679d9f0bc99a06570e39a23c38ed257eaeecc3e9ba81717fe74ea96cedb817d960b89b634d21ef642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6f950e12c343669480c8eb6427473638

SHA1
a7b1370e5a6ffcfe261afc2d4b5ea07ce9f76725

SHA256
6e805f9c5cc8ea1abe2f8df2d396e3052fccd17d993d29082287a2536fde7eab

SHA512
3eced5665b7bc29f420f8f4e3c03dcd80da77ecb7cc79dcb07d75031704ebda2f1f750817c229e8e616d9b80db93526a8c0fd592d6014ead07ac72c2a1ed0935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
17f6227e4f9ab0936dfe1e5b47f9840c

SHA1
9755891369423ab41d86681ff6f90efbec3bb332

SHA256
9e3db22beb85abdb86773601258558dc3b13e748af364cdf433f52cee0884649

SHA512
e0d2f0c598bc851ad2c0292774e5285c4bed7d53704ef8d525eb6faf9cd63a9179b445c48794bbdf09529511952293a3692b8424e02e1701d3c43c7bac0b4e82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit