hxxps://docs[.]google[.]com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit?usp=drivesdk

Analysis

max time kernel
42s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit?usp=drivesdk

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133366381701265346"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4384	3032	chrome.exe	59
PID 3032 wrote to memory of 4384	3032	chrome.exe	59
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 1600	3032	chrome.exe	84
PID 3032 wrote to memory of 4400	3032	chrome.exe	86
PID 3032 wrote to memory of 4400	3032	chrome.exe	86
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85
PID 3032 wrote to memory of 4936	3032	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit?usp=drivesdk
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3f189758,0x7ffb3f189768,0x7ffb3f189778
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5208 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4740 --field-trial-handle=1868,i,16183206292902468357,16370442838925872525,131072 /prefetch:1
  2⤵
  PID:3476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005b

Filesize
60KB

MD5
5a45fa3d58b4697efd64886e6321eb1a

SHA1
c4f0e71a8ae9c6783045bbf4c2affc410acdbf36

SHA256
cd4ad205b486a8c17a7d8d27e2920b72ffcb845a80def91a5530fcb6ca30a901

SHA512
cb7ae8cedfc07aa62ef32601b171d222c9c8bc68456b8638de35e0223472b2a8f085002fdab0a453f627ee7b51c02eed68f7cbc6cc3b8aa3d3a0c37068ed1e41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9e7c1f227758841564025357c34a95b9

SHA1
8967a47c24fd51243fe1a57a91ca6aed6f42cb30

SHA256
811e38862023b0ae2fc0e4e61a0421ca43cb42636c0140dbaef344499c6452b3

SHA512
4ea0e6a8ca3f023230141a41531474b27375ee2fd8ebdf2235dd8605cda4c8db84c15f8bfa0210a226a7059115f30b1540b76e8c6d809d28d0a2578266a3ba86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9d9f19a93bc3af724da34adb4b469b9f

SHA1
4ae27ae7550e59fb4c6ae4a34cf83ab200b720ca

SHA256
a58b0ff6e205f9f89b20946681123845270bb7067f47fcb9d2f41c5b42d84205

SHA512
a78baed658d68213cfc5ad11d9e2568f5a7c895e5c405d8054d05d01a748cfb231ca513e353646a918cac248114eb988230395cc002f426ad09c6626a5a56c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
d4db05782870c8307eadc92f60463700

SHA1
76e45cb88540ae2da8fd8ce7b8a6f456fc70d68d

SHA256
7a152037f6c880fc7a02485f748fecc27ffc35500197ee2e838b3d74b63387ba

SHA512
0c6cf4554225b73ce0cef815e7b2d62951e12e083c69cdf69cb4a006399dbf8bb477c668c835ab69ed1c8ccd34c1a9be97cc8dcdee7b569d10c593735da54278

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d7d6dbc9d49a29c6401f1d08b118ff81

SHA1
9c57aaf488ed4de4245fa9d39556a0790ad7b1fc

SHA256
72869800295fc99652c7a21d5f71a162dddafccf50d0c399aa1dd163a97676e9

SHA512
33fdd9bd5bd57b117a4acc9e0fc0efb540e7aafc9db07ce9e45ff51d30b6aa684a5a477db4968f0680f3b9ea062ecc170bbd1dfb7f3955abcabfb87c509d7c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
62d7dcaacfe8414db9156497d0578228

SHA1
bce110e66cf7639bf1e21a29be3be3e9d9f01cae

SHA256
1480da0470bf5897da93724e0f4a01d0aa3b223b2cf2f9e9ed7e0e3fd31de32e

SHA512
f61f2a99e6403614daac68890db0f6193995975543b295b093c58b5ebdddf523fa1a0577fbe4d3816b35bd74fe8a8c49d04ddae3c63836d7846669cd06184eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f7f234955498838c8e4659aae08bfa6f

SHA1
1c2d252205fbc2a666d1a39395690697c710e9d7

SHA256
94157e85ca75bf0352c9f2dc1c2df373f97433d26ffbc021790385d3bff5cc7b

SHA512
278ebf6b36cf9e0a8e874afcfab1755533a22d1efe1de94f74e6e94651cf82495acf58a76ea8f4e62d8d6bbd63e803479f6b923736dd15f5b63e0dabe36a69fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
aba99ad5047643d88a6158ca71dbcc19

SHA1
d55b6dc87e49173c20ccc50a0bf18545acdd1fbb

SHA256
59d8ce60f57545b538b443b9693580c34e83f46da031b2012a2f7fa7f5faf39a

SHA512
26f37ad31fd6a73901ed06badf4b1226d7c35990302dedc6cb8dec512b37a481228171d19dbae8afcebd6b813662b26dc87d241725772e941480684bf271e33b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit