hxxps://graph[.]microsoft[.]com/v1[.]0/me/photo/$value

Analysis

max time kernel
599s
max time network
490s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://graph.microsoft.com/v1.0/me/photo/$value

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522263931499991"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
548	chrome.exe
548	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 4076	1844	chrome.exe	16
PID 1844 wrote to memory of 4076	1844	chrome.exe	16
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 1012	1844	chrome.exe	40
PID 1844 wrote to memory of 3196	1844	chrome.exe	41
PID 1844 wrote to memory of 3196	1844	chrome.exe	41
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42
PID 1844 wrote to memory of 2828	1844	chrome.exe	42

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://graph.microsoft.com/v1.0/me/photo/$value
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc91319758,0x7ffc91319768,0x7ffc91319778
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:2
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1868,i,9325291419414527879,13533142168254417866,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
0f7a4db6687ddf850159c117dd4ce8d6

SHA1
8c15825c4319193c47c9e3d2f1ee021e085f8c3e

SHA256
7427f4cfccd350354644a02a89ecbd9e09ea8ca55ab180c2aa19ca04cbb101fb

SHA512
81656f6b00717cb0a7e44188c41fc009e2486cec4f7fa42c272dd1e58c0ab9e3587444204667351c0fb595f8abb7518b510bfa82f5a24246841b2b4e570825b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
07240ba2dae0e954e7b3693b93b1fe64

SHA1
12fde51da29df2e389e7a7d5e29853ab408482cd

SHA256
79480cc3b95f68aedb710e27f77c84986ad14f8c0ca90c3fe3fbca498b75844c

SHA512
9abf8c79f4a21f31bcb8f6827b5b2ba1de65e31ee46bc85e9ebae3f44ae067ca90415f370b09cee75bf941c1328a63469edd9117a6d1b97f4442f68bc9ae470c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3f1db40ca68d5abeb893dd186ce46b50

SHA1
9dd7a1a983ea6960106ca5f32b3137a0c2e4dca2

SHA256
dc59d57e7332e4c1cbb4a200dcff9d7f3e1de92f8f1bc6848cd58ed727402779

SHA512
023c081a8c1d3a7af3d2a241df2533e33e8b75b9275c3601b7dcb7858e40597f9e2f481e0038a8713336c0cabe2ff37381eef8a1529d1c95330d5ea2d0c34904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
e80911e59a724ce7d3fffc7be8088887

SHA1
5be604ece3bf9c9ff3f3708a7f457693d8e1c7f1

SHA256
1b5db53f370e23e78e0e5dbf9e0656db539f91838f7f0a7c70a921a1408cc59a

SHA512
66dc03114f8c01e66a156ab68f1e6b85eea9269620e41cfb5ae2c7c70e50354683eba47c97dac6c910c49f7926db2cb75a586621b12a277afb8872e0ff75fc2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit