hxxps://outlook[.]office365[.]com/Encryption/retrieve[.]ashx?recipientemailaddress=Destiny[.]Geer%40mt[.]gov&senderemailaddress=sarah%40bozemanos[.]com&senderorganization=AwGAAAAAAnwAAAADAQAAANNXDjXlRtpEuVIdMbUQTrtPVT1ib3plbWFub3Mub25taWNyb3NvZnQuY29tLE9VPU1pY3Jvc29mdCBFeGNoYW5nZSBIb3N0ZWQgT3JnYW5pemF0aW9ucyxEQz1OQU1QUjEzQTAwNCxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NFSkBHqSY8E2rvCuFIPLDQkNOPUNvbmZpZ3VyYXRpb24sQ049Ym96ZW1hbm9zLm9ubWljcm9zb2Z0LmNvbSxDTj1Db25maWd1cmF0aW9uVW5pdHMsREM9TkFNUFIxM0EwMDQsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTQE%3d&messageid=%3cCH2PR13MB3509B066941DA4349E5216ECB0CDA%40CH2PR13MB3509[.]namprd13[.]prod[.]outlook[.]com%3e&cfmRecipient=SystemMailbox%7b0AF09B7F-434F-4B2F-9CBC-57639EDCFD9C%7d%40bozemanos[.]onmicrosoft[.]com&consumerEncryption=false&senderorgid=e9ab90b3-b937-4121-b387-b347f76e8a0e&urldecoded=1&e4e_sdata=lvLjmr4ocZKYcs8sVAIB%2bO3x40aWrw0%2foE6Ym%2fOQxU1TYMk3wz3B43wjftCAhfIrl0hZ6CHXpVibkvLfhoYVjbDWy%2fWKUuO1euj%2fV9pspbj94hwoASg450msmpwwTdp0CHVaXi0wdid3ZTlAEUh1OYYA0gHdMn5k4SbbpdWLT%2fMdv3TsI1LTbWJln47vvBuy0zOv9WkGjgGDRwnk3pkD8joeLbdsAirJ0NQJjnyjjzl9Dr52W90lAi%2fnNNYpQqj666FS7V4V9ry1vE9elC%2bK1wbUmfuAWKGuvbveFVOMayQNyk57oO6AZsBbu5iqYNpqanv45TVXXgjqzONtEhzbIw%3d%3d

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=Destiny.Geer%40mt.gov&senderemailaddress=sarah%40bozemanos.com&senderorganization=AwGAAAAAAnwAAAADAQAAANNXDjXlRtpEuVIdMbUQTrtPVT1ib3plbWFub3Mub25taWNyb3NvZnQuY29tLE9VPU1pY3Jvc29mdCBFeGNoYW5nZSBIb3N0ZWQgT3JnYW5pemF0aW9ucyxEQz1OQU1QUjEzQTAwNCxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NFSkBHqSY8E2rvCuFIPLDQkNOPUNvbmZpZ3VyYXRpb24sQ049Ym96ZW1hbm9zLm9ubWljcm9zb2Z0LmNvbSxDTj1Db25maWd1cmF0aW9uVW5pdHMsREM9TkFNUFIxM0EwMDQsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTQE%3d&messageid=%3cCH2PR13MB3509B066941DA4349E5216ECB0CDA%40CH2PR13MB3509.namprd13.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b0AF09B7F-434F-4B2F-9CBC-57639EDCFD9C%7d%40bozemanos.onmicrosoft.com&consumerEncryption=false&senderorgid=e9ab90b3-b937-4121-b387-b347f76e8a0e&urldecoded=1&e4e_sdata=lvLjmr4ocZKYcs8sVAIB%2bO3x40aWrw0%2foE6Ym%2fOQxU1TYMk3wz3B43wjftCAhfIrl0hZ6CHXpVibkvLfhoYVjbDWy%2fWKUuO1euj%2fV9pspbj94hwoASg450msmpwwTdp0CHVaXi0wdid3ZTlAEUh1OYYA0gHdMn5k4SbbpdWLT%2fMdv3TsI1LTbWJln47vvBuy0zOv9WkGjgGDRwnk3pkD8joeLbdsAirJ0NQJjnyjjzl9Dr52W90lAi%2fnNNYpQqj666FS7V4V9ry1vE9elC%2bK1wbUmfuAWKGuvbveFVOMayQNyk57oO6AZsBbu5iqYNpqanv45TVXXgjqzONtEhzbIw%3d%3d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133414406114140111"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1552	chrome.exe
1552	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4444	1520	chrome.exe	35
PID 1520 wrote to memory of 4444	1520	chrome.exe	35
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 5004	1520	chrome.exe	85
PID 1520 wrote to memory of 1612	1520	chrome.exe	84
PID 1520 wrote to memory of 1612	1520	chrome.exe	84
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86
PID 1520 wrote to memory of 1216	1520	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=Destiny.Geer%40mt.gov&senderemailaddress=sarah%40bozemanos.com&senderorganization=AwGAAAAAAnwAAAADAQAAANNXDjXlRtpEuVIdMbUQTrtPVT1ib3plbWFub3Mub25taWNyb3NvZnQuY29tLE9VPU1pY3Jvc29mdCBFeGNoYW5nZSBIb3N0ZWQgT3JnYW5pemF0aW9ucyxEQz1OQU1QUjEzQTAwNCxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NFSkBHqSY8E2rvCuFIPLDQkNOPUNvbmZpZ3VyYXRpb24sQ049Ym96ZW1hbm9zLm9ubWljcm9zb2Z0LmNvbSxDTj1Db25maWd1cmF0aW9uVW5pdHMsREM9TkFNUFIxM0EwMDQsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTQE%3d&messageid=%3cCH2PR13MB3509B066941DA4349E5216ECB0CDA%40CH2PR13MB3509.namprd13.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b0AF09B7F-434F-4B2F-9CBC-57639EDCFD9C%7d%40bozemanos.onmicrosoft.com&consumerEncryption=false&senderorgid=e9ab90b3-b937-4121-b387-b347f76e8a0e&urldecoded=1&e4e_sdata=lvLjmr4ocZKYcs8sVAIB%2bO3x40aWrw0%2foE6Ym%2fOQxU1TYMk3wz3B43wjftCAhfIrl0hZ6CHXpVibkvLfhoYVjbDWy%2fWKUuO1euj%2fV9pspbj94hwoASg450msmpwwTdp0CHVaXi0wdid3ZTlAEUh1OYYA0gHdMn5k4SbbpdWLT%2fMdv3TsI1LTbWJln47vvBuy0zOv9WkGjgGDRwnk3pkD8joeLbdsAirJ0NQJjnyjjzl9Dr52W90lAi%2fnNNYpQqj666FS7V4V9ry1vE9elC%2bK1wbUmfuAWKGuvbveFVOMayQNyk57oO6AZsBbu5iqYNpqanv45TVXXgjqzONtEhzbIw%3d%3d
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbba8c9758,0x7ffbba8c9768,0x7ffbba8c9778
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:8
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1892,i,5279033321063347522,7201990581898117618,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\897f7bd6-112e-49bb-9bb3-eac014264796.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
77a5224961ec7eb98b790799fd3a3e53

SHA1
54d1fad8dabd110fe7d6d8397ac0b18fce9538a4

SHA256
ee931477ce81727626eb6cc95bf1f9510b6d2eee2557e6fc55e7e097ba226a81

SHA512
08c2b992e62558fea4f0dfaa76483230bc52704d4c2a8169a1257ca1d3ea79f99bdc31d8af09440541f77499ed430fec124dfb078a623e53c11e3a44cd5788f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2beac48f1b3779305c2b440bdfea24ab

SHA1
b75b14dad9e61d6a7f729c9780ba8898179ff0c3

SHA256
0fdc8d6179b9124edd8d067708c6970906ac1abe839112537fbbb8146e40c97b

SHA512
513e8948816e0a569ccfc29efa65ab8b574994b1c80f80a23d0d4dddd3cee9f6d3a2ad8936bfe97c25051f386193c278a5ab5340a569de9019d31f47076b29dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
11526d95a76a1f62b4f7928574960000

SHA1
5022cfd301a8142e945a855364e42ce89e84641e

SHA256
26826087ed740d0172b2413d514ac9104b23390bf58e2824e0053157c8c2c75b

SHA512
07302db04f0b535c18e13e75cd1d4f82241b4c8bbc7a6ee8419d8938c2334df1fed5657b74eca2a4c43b8dd52faa65ea8be8e01f581d9c4111e10938d2441c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6c7bddaeef2dcbbfc00daeb936bf9cb6

SHA1
89a5c253c624e16040d4a9543903f24e372b47b2

SHA256
561b0c9434dd96a78acbe454fbff36adb0147264defec3a133bcd1ccf84eec76

SHA512
33266a063cf2638a27e8921d068df2141843b1bea6486df7d18ea76d5881a3cadd9873cee708423d7e0dcbec072f708efeaf2a373a9d33f7efb9409b5967dcb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
7968e11618357be9beed84635ec32752

SHA1
39bfb56ed255d9a537f51c32f681787cf998e4da

SHA256
b49cb2ed3e34d6efcd7e26da9f5fe5dcee0dd4e9150f0b6023cbf4827f57ee28

SHA512
d4fe378242ee1d81bc30a5c24ffc34dbf058583682cca34d4b5dfade28343c595c73029d8fbafafd011a8855bc27c16e10c0044fe7e2943daaa35a8f5d7c28e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
cef8bb612eddde816ed092f3f2d4ae51

SHA1
b8af7f5cce7cf4a14bc89d24ffa8c4b77491d556

SHA256
dc43989a4932e09edb6bf13423a845fcae56f06e0fc03d586e7e629f21d7acd9

SHA512
c5fb17468db4fa3a37b94d1930252110c4b6ad5a0abb8be28304d348e6138b5aa63281a35cabcd13cef5857a9f647ed8b41cc03cdd5410b55517b53e2bb64075

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ee4195519eb8aa5ded64215057d04b69

SHA1
51cc55f4bfd46cdfec7dd372e4999851a022fa42

SHA256
d7a1e02eb66215dea0cb84ccc354ca897a0e71f3b976a315f133097fd0e00f48

SHA512
2da2f1b798bf272d3607ce4d79dad61f69fe7f21541f8904988dc461f1411c29b176f6c4f95392170ed013b4ad86d7330c12632dfcc44852c2a7c7b70c5198d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c4b2b7783f2d2d5188c780e70784b055

SHA1
3c0483192d595da6a72a99233554597ff3856e61

SHA256
3fa92a140880eeaeb8dfe63045853caaeecebffb8a168614ae2b4ebd195e1132

SHA512
74914dc014c5080eba6a5a8de43bfd972b872b21fa0342bc3881f50edac95ef342a5880e87270005cdda34f8574ec1e98f7d1c26b540ef32d86ca9d0bb8c3f3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5d03a5ef8a42d0080be0f3a9270cd811

SHA1
b8f728c025e8addada8c15ef18f4937f5bdd19ad

SHA256
ce8c3077a7ea28de0b43d73d4c2716af3a376a269c03dd51c0270467c8985e64

SHA512
c830bf579d309de2221a4807d5e48b45f81d3a1f3c6cf90d933dc95e52a89259c9e36e7c5d7223a753cd56152ee25dc465a4bad787e70f9f0f932f36adea859a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e41134a00ea5c68f6c633a37f6bfa71a

SHA1
d9583877a7ce1c82465ebfcc50a745dcd369d26d

SHA256
4d51c1824ab045ab740856f196fa8750d37fef7dc039b9c875f4c542c27e8511

SHA512
b3f23d79624d9d2ab8be00fd34a7e51056f40e8bee20c7570747308e418e1511bc1c15ee71821e652d2fb1d38a51acebc450fed0d357186c869853a61aaa2f3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
e21b3fffaebd5f9ce0ccd78b40c3cb3a

SHA1
25fe0263998632f4f1813fbfb3cb9df3c4e54af2

SHA256
a0914de1d09db07ee6b1f331e5446ad58c248c5784f3755ca0bf3f3eb14f6a7b

SHA512
fb799cfed139f1fc7eee6a98ce76d54b43cee9ad8e2f75e4aec507c80613eeb4dfc916a34d399c9ec97cf804e653067b980f0086cecdb12a54a7fb4af4960da0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
40d87f85fa297648552b1c9a9ba213af

SHA1
89fb715909207f4bd2263771aff92cc0c760ff98

SHA256
99d0698dc0fd130f75c23d6bcafb780a05c61c6bb37c8eb65c48c6ed1023be56

SHA512
fd0d504aca5f2b754bc21b36eff371966cba667f1d082302666f36f42e583987c771e62f62451e33b4834169beef987d883694926ae626c32e354d2d168dee74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
658c2674e725f96dbf40beea472db411

SHA1
31cf3e83bf53838c78dba13cea3da404da33fbc7

SHA256
e171e3eab8b38139027ebde0853685813428009d37d419589b96c206b1c873ee

SHA512
eae146bf0ffd03d1ae4b8acd6d72456d64d1be0e069927c8050c95fc6840ed7de168c5bf4b8bc8fae8ecdb1f6d07c7a24011220bdab44d66d4bb09b180e5161c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
5e1ef2b234b158a3daf7c9f7ede0683c

SHA1
81a5833fd3d8ba578ddadede7ed7fd6447e6c9f9

SHA256
34c3b78b8d897e5fb78cb36a1957e327a3d54e9819bd5c63518b87fdbde5d4ba

SHA512
4ca05255e0f2d054e9a01e84d6450d13fb5adc83326bc15a867aea88bc9888a418d5264160378da5cccc5a795d11e575f661f4b8aafc88a90b41501185be9e25

Download Submit