hxxps://outlook[.]office365[.]com/Encryption/retrieve[.]ashx?recipientemailaddress=contactocp%40mt[.]gov&senderemailaddress=JCOPPOLA%40lccountymt[.]gov&senderorganization=AwF%2fAAAAAnsAAAADAQAAAEOvCLdr6axBi9oDx%2f3DLDRPVT1sY2NvdW50eS5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMjBBMDA1LERDPVBST0QsREM9T1VUTE9PSyxEQz1DT02G7LRI26gPQo5%2bjT20P%2bhrQ049Q29uZmlndXJhdGlvbixDTj1sY2NvdW50eS5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMjBBMDA1LERDPVBST0QsREM9T1VUTE9PSyxEQz1DT00B&messageid=%3cCYYPR20MB6833D3CEABCB401388311F51A2762%40CYYPR20MB6833[.]namprd20[.]prod[.]outlook[.]com%3e&cfmRecipient=SystemMailbox%7b0AF09B7F-434F-4B2F-9CBC-57639EDCFD9C%7d%40lccounty[.]onmicrosoft[.]com&consumerEncryption=false&senderorgid=f7102213-3f94-4d93-8972-b17e2d49aa8f&urldecoded=1&e4e_sdata=KiG%2b%2b2kyf%2bSoraTOkxIA75Awp4PPpAl4HYyx%2fnPJO1l48CEC18XbjVialQHxzvBiJt%2f2eIXH0yyjYFHi1KP9t%2bT9Si%2fu3IsUG3y7YM2L7jhvBRg1GedJOXZhCJhXNdj54B9QL3E8F26HWRiQ8Zyqd9z3Ve%2beFVBFJ9wZgkOJRDmQmCiOVVgejbLpUyzM1WpObwGaHp3ddJn4QOMB2aaT4li5igM6se8KvLDz32eRf2Ge93OxziT1MQ%2biNwMbVibZ3KvFWFelPr3dvegkNWmBXcxRTn7LD6FeCDKRkd6tnF9Kc8CJd6nBSszQ1QkQpKvQsGJ0XMDCqVHl5u6hXWa2kw%3d%3d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2024, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=contactocp%40mt.gov&senderemailaddress=JCOPPOLA%40lccountymt.gov&senderorganization=AwF%2fAAAAAnsAAAADAQAAAEOvCLdr6axBi9oDx%2f3DLDRPVT1sY2NvdW50eS5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMjBBMDA1LERDPVBST0QsREM9T1VUTE9PSyxEQz1DT02G7LRI26gPQo5%2bjT20P%2bhrQ049Q29uZmlndXJhdGlvbixDTj1sY2NvdW50eS5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMjBBMDA1LERDPVBST0QsREM9T1VUTE9PSyxEQz1DT00B&messageid=%3cCYYPR20MB6833D3CEABCB401388311F51A2762%40CYYPR20MB6833.namprd20.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b0AF09B7F-434F-4B2F-9CBC-57639EDCFD9C%7d%40lccounty.onmicrosoft.com&consumerEncryption=false&senderorgid=f7102213-3f94-4d93-8972-b17e2d49aa8f&urldecoded=1&e4e_sdata=KiG%2b%2b2kyf%2bSoraTOkxIA75Awp4PPpAl4HYyx%2fnPJO1l48CEC18XbjVialQHxzvBiJt%2f2eIXH0yyjYFHi1KP9t%2bT9Si%2fu3IsUG3y7YM2L7jhvBRg1GedJOXZhCJhXNdj54B9QL3E8F26HWRiQ8Zyqd9z3Ve%2beFVBFJ9wZgkOJRDmQmCiOVVgejbLpUyzM1WpObwGaHp3ddJn4QOMB2aaT4li5igM6se8KvLDz32eRf2Ge93OxziT1MQ%2biNwMbVibZ3KvFWFelPr3dvegkNWmBXcxRTn7LD6FeCDKRkd6tnF9Kc8CJd6nBSszQ1QkQpKvQsGJ0XMDCqVHl5u6hXWa2kw%3d%3d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504100086801419"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4512	4456	chrome.exe	16
PID 4456 wrote to memory of 4512	4456	chrome.exe	16
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 1668	4456	chrome.exe	87
PID 4456 wrote to memory of 4524	4456	chrome.exe	88
PID 4456 wrote to memory of 4524	4456	chrome.exe	88
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89
PID 4456 wrote to memory of 1532	4456	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=contactocp%40mt.gov&senderemailaddress=JCOPPOLA%40lccountymt.gov&senderorganization=AwF%2fAAAAAnsAAAADAQAAAEOvCLdr6axBi9oDx%2f3DLDRPVT1sY2NvdW50eS5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMjBBMDA1LERDPVBST0QsREM9T1VUTE9PSyxEQz1DT02G7LRI26gPQo5%2bjT20P%2bhrQ049Q29uZmlndXJhdGlvbixDTj1sY2NvdW50eS5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMjBBMDA1LERDPVBST0QsREM9T1VUTE9PSyxEQz1DT00B&messageid=%3cCYYPR20MB6833D3CEABCB401388311F51A2762%40CYYPR20MB6833.namprd20.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b0AF09B7F-434F-4B2F-9CBC-57639EDCFD9C%7d%40lccounty.onmicrosoft.com&consumerEncryption=false&senderorgid=f7102213-3f94-4d93-8972-b17e2d49aa8f&urldecoded=1&e4e_sdata=KiG%2b%2b2kyf%2bSoraTOkxIA75Awp4PPpAl4HYyx%2fnPJO1l48CEC18XbjVialQHxzvBiJt%2f2eIXH0yyjYFHi1KP9t%2bT9Si%2fu3IsUG3y7YM2L7jhvBRg1GedJOXZhCJhXNdj54B9QL3E8F26HWRiQ8Zyqd9z3Ve%2beFVBFJ9wZgkOJRDmQmCiOVVgejbLpUyzM1WpObwGaHp3ddJn4QOMB2aaT4li5igM6se8KvLDz32eRf2Ge93OxziT1MQ%2biNwMbVibZ3KvFWFelPr3dvegkNWmBXcxRTn7LD6FeCDKRkd6tnF9Kc8CJd6nBSszQ1QkQpKvQsGJ0XMDCqVHl5u6hXWa2kw%3d%3d
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd92d09758,0x7ffd92d09768,0x7ffd92d09778
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:2
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2452 --field-trial-handle=1956,i,5448549691990996751,6724211970008428187,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3881fb1e9e573a97b87a0bb2ddce9c01

SHA1
f39081c4732c3a094a26d723d4bf9730695de989

SHA256
f61a749be87aa0e91a3d8e0a72fd3bcb4770d148d05df104f7cbf0e73631d05e

SHA512
c9bb2120a5c640e011b3778b85bf75a5daebc018967a98a63a98c5607941f203e2caad16d1c784acaeb9bfe8972b8781ae513389403d1b6ed328e93f42f7e755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4066831a8b91fd542f732dff55c28edc

SHA1
ce613a790f267f4c4851c32f7c8876bd0adfd331

SHA256
e68c4ad2b0e9337ba0bb7e27d1f870b91532d819d1128e556a44682c55a911ef

SHA512
138099125995888e5f77295e5a54156033fd820825553ef70fee3542d1fc7b658c03d00015066469fb27af574e4415ccc05b0f5dbc0068f5767197db400dabc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
8c7aa7727dee3cc12ff3915ebf5e3526

SHA1
4385f387ee843f2bf8167ae13a52136a4f2c0098

SHA256
883924dc7e3e8ac2111292eb88e8e42bca1ccf2109a3446955467715d3899408

SHA512
ecbbf272305b09a7553b9e9b9929b1da835baec1ba92aefeebc5ac993a9d5b2747f8a49a00feaf3e7bec8f2b27cb20dcdf64a623fa9203478ef9836c57b97db6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5d0b8337976923333f8a4c50fce68f57

SHA1
42d7b282657e345531a125246a0a7a024b802478

SHA256
4be17179645bf0a32c7f13786597f1cf89b279316068301a0a8bdad91ee62959

SHA512
4aa2149b757de1db465736929692d9756c98fcec37473f46c01063734c5f054df32cdb4af300564e3e4613c9b37edb09923add595059109d11495dc2fc59284b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e06d773b19e54a4b2ea1d9e4c31eee92

SHA1
4392de5fbb0dadd2774a4581db5f45c8769f6986

SHA256
b8749eb5923bce84688c02c4407ac0a72ed0ead3e3980adc4c55424bc5ce61cf

SHA512
455b08b997e3194e50f77092a8a4d7abcd8debe046939b255e0345ff8bf639d3acc0e537fe19082b896ea54438abe0afa8d31b6412cc17b7c43f2faa653ed29b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
45a8fe495bad483705c1ec36237cc75f

SHA1
4f5336d41901a678e54062bcded6ee3ec6750eb1

SHA256
1cbcda4d5c996623886a9db710a428006ea1d93f2d4f54442b7beb9d38cb473b

SHA512
32943e54ac35ecf551ff1c4b98dab4418f5e7616474928441680efac624735601cc0e6618086264fc7574ad2bb9e8ec8f5f35364846ce6e6deae7dc77833e86a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit