hxxps://picus-ng-virginia[.]s3[.]amazonaws[.]com/reports/7690/0/59521_Overview_12_Feb_2024_Mon_08_42_27_AM[.]csv?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAZQNPQR3YGIHNQTXR%2F20240212%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240212T084241Z&X-Amz-Expires=120&X-Amz-Security-Token=FwoGZXIvYXdzEJL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDKa6A0QRfdz1vEukOyKhA9p4NkSsJMncw5SUo%2BvXGGsvQga%2Bti5Rf9gCuBQ7IEFvzHvO1dfqdTtntf3ElNcLIuHFSu16A5T4S37XDHHw%2BO0X0qTg%2FuWw6UNGD3r%2Ff%2BE1pJF%2BqUPLOxs8hObjhE76%2FhLF2ft%2F8LpLcwhBfutIC8H11XgBMQtmpmyvH6prGJhswWMPLR6eSioT4SRHcqvRpbTQTe5S3nsrVwSL5WNhY%2FV5KJY2jrJ85aDaQwvylWrHvVI9AcTeAjniWuidZLGiJsO7jreI8K5Fi8yAYqUuyTA%2BzZqR6ApAn3t8NjFkF874OwRlARwaZOgka2OhnVyWAYK3cXBw8Ygl%2BXWMIAMNzL9gGgGilFgdLAu12ijjx9FP%2FdX5UIAWd6Q4YFbr0J4g5obH9t1ATpRutYaF1%2Fk0M%2FfCTK6LppK6BzkgEmoNBsIImidIySzS%2Bz91vwZ7Ye0ZviBx2tTVJ1LvYs1BZeMG0BYNtZundCBvr8tSwQ0ES5NGepBKTwmQ1J%2BkcvIfQ0Yx166Sb0BQMsna9AetkorSV%2FHNZTKbMT%2Bj1TkIYhfRBlIhzSiBtKeuBjItpOKCLq8YFLjUCA4r7rMaxXtRUa2z760Z0X%2BkeqQh3pDuhgDi1LDdVOd6LjWA&X-Amz-SignedHeaders=host&response-content-disposition=inline&X-Amz-Signature=406fe174b83966541f56baa9e738fabb13b6015f5a6a05455256e6f431e7db26

Analysis

max time kernel
277s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 04:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://picus-ng-virginia.s3.amazonaws.com/reports/7690/0/59521_Overview_12_Feb_2024_Mon_08_42_27_AM.csv?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAZQNPQR3YGIHNQTXR%2F20240212%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240212T084241Z&X-Amz-Expires=120&X-Amz-Security-Token=FwoGZXIvYXdzEJL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDKa6A0QRfdz1vEukOyKhA9p4NkSsJMncw5SUo%2BvXGGsvQga%2Bti5Rf9gCuBQ7IEFvzHvO1dfqdTtntf3ElNcLIuHFSu16A5T4S37XDHHw%2BO0X0qTg%2FuWw6UNGD3r%2Ff%2BE1pJF%2BqUPLOxs8hObjhE76%2FhLF2ft%2F8LpLcwhBfutIC8H11XgBMQtmpmyvH6prGJhswWMPLR6eSioT4SRHcqvRpbTQTe5S3nsrVwSL5WNhY%2FV5KJY2jrJ85aDaQwvylWrHvVI9AcTeAjniWuidZLGiJsO7jreI8K5Fi8yAYqUuyTA%2BzZqR6ApAn3t8NjFkF874OwRlARwaZOgka2OhnVyWAYK3cXBw8Ygl%2BXWMIAMNzL9gGgGilFgdLAu12ijjx9FP%2FdX5UIAWd6Q4YFbr0J4g5obH9t1ATpRutYaF1%2Fk0M%2FfCTK6LppK6BzkgEmoNBsIImidIySzS%2Bz91vwZ7Ye0ZviBx2tTVJ1LvYs1BZeMG0BYNtZundCBvr8tSwQ0ES5NGepBKTwmQ1J%2BkcvIfQ0Yx166Sb0BQMsna9AetkorSV%2FHNZTKbMT%2Bj1TkIYhfRBlIhzSiBtKeuBjItpOKCLq8YFLjUCA4r7rMaxXtRUa2z760Z0X%2BkeqQh3pDuhgDi1LDdVOd6LjWA&X-Amz-SignedHeaders=host&response-content-disposition=inline&X-Amz-Signature=406fe174b83966541f56baa9e738fabb13b6015f5a6a05455256e6f431e7db26

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522724629814321"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 5112	1508	chrome.exe	16
PID 1508 wrote to memory of 5112	1508	chrome.exe	16
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 1480	1508	chrome.exe	38
PID 1508 wrote to memory of 3888	1508	chrome.exe	37
PID 1508 wrote to memory of 3888	1508	chrome.exe	37
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36
PID 1508 wrote to memory of 4676	1508	chrome.exe	36

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://picus-ng-virginia.s3.amazonaws.com/reports/7690/0/59521_Overview_12_Feb_2024_Mon_08_42_27_AM.csv?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAZQNPQR3YGIHNQTXR%2F20240212%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240212T084241Z&X-Amz-Expires=120&X-Amz-Security-Token=FwoGZXIvYXdzEJL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDKa6A0QRfdz1vEukOyKhA9p4NkSsJMncw5SUo%2BvXGGsvQga%2Bti5Rf9gCuBQ7IEFvzHvO1dfqdTtntf3ElNcLIuHFSu16A5T4S37XDHHw%2BO0X0qTg%2FuWw6UNGD3r%2Ff%2BE1pJF%2BqUPLOxs8hObjhE76%2FhLF2ft%2F8LpLcwhBfutIC8H11XgBMQtmpmyvH6prGJhswWMPLR6eSioT4SRHcqvRpbTQTe5S3nsrVwSL5WNhY%2FV5KJY2jrJ85aDaQwvylWrHvVI9AcTeAjniWuidZLGiJsO7jreI8K5Fi8yAYqUuyTA%2BzZqR6ApAn3t8NjFkF874OwRlARwaZOgka2OhnVyWAYK3cXBw8Ygl%2BXWMIAMNzL9gGgGilFgdLAu12ijjx9FP%2FdX5UIAWd6Q4YFbr0J4g5obH9t1ATpRutYaF1%2Fk0M%2FfCTK6LppK6BzkgEmoNBsIImidIySzS%2Bz91vwZ7Ye0ZviBx2tTVJ1LvYs1BZeMG0BYNtZundCBvr8tSwQ0ES5NGepBKTwmQ1J%2BkcvIfQ0Yx166Sb0BQMsna9AetkorSV%2FHNZTKbMT%2Bj1TkIYhfRBlIhzSiBtKeuBjItpOKCLq8YFLjUCA4r7rMaxXtRUa2z760Z0X%2BkeqQh3pDuhgDi1LDdVOd6LjWA&X-Amz-SignedHeaders=host&response-content-disposition=inline&X-Amz-Signature=406fe174b83966541f56baa9e738fabb13b6015f5a6a05455256e6f431e7db26
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff983be9758,0x7ff983be9768,0x7ff983be9778
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:2
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 --field-trial-handle=1872,i,6887837383523017272,3134841408179633091,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3216

Network

DNS

picus-ng-virginia.s3.amazonaws.com

chrome.exe

Remote address:

8.8.8.8:53

Request

picus-ng-virginia.s3.amazonaws.com

IN A

Response

picus-ng-virginia.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

52.217.161.225

s3-w.us-east-1.amazonaws.com

IN A

52.216.32.137

s3-w.us-east-1.amazonaws.com

IN A

3.5.25.82

s3-w.us-east-1.amazonaws.com

IN A

52.217.95.17

s3-w.us-east-1.amazonaws.com

IN A

52.216.251.172

s3-w.us-east-1.amazonaws.com

IN A

54.231.162.81

s3-w.us-east-1.amazonaws.com

IN A

52.216.208.145

s3-w.us-east-1.amazonaws.com

IN A

3.5.25.231
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

234.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.16.217.172.in-addr.arpa

IN PTR

Response

234.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f101e100net

234.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f10�I
DNS

225.161.217.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.161.217.52.in-addr.arpa

IN PTR

Response

225.161.217.52.in-addr.arpa

IN PTR

s3-1-w amazonawscom
DNS

88.140.162.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.140.162.3.in-addr.arpa

IN PTR

Response

88.140.162.3.in-addr.arpa

IN PTR

server-3-162-140-88dub56r cloudfrontnet
DNS

209.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.178.17.96.in-addr.arpa

IN PTR

Response

209.178.17.96.in-addr.arpa

IN PTR

a96-17-178-209deploystaticakamaitechnologiescom
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response

52.217.161.225:443

picus-ng-virginia.s3.amazonaws.com

tls

chrome.exe

5.1kB
7.8kB
20
22

8.8.8.8:53

picus-ng-virginia.s3.amazonaws.com

dns

chrome.exe

80 B
258 B
1
1

DNS Request

picus-ng-virginia.s3.amazonaws.com

DNS Response

52.217.161.225

52.216.32.137

3.5.25.82

52.217.95.17

52.216.251.172

54.231.162.81

52.216.208.145

3.5.25.231
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

234.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

234.16.217.172.in-addr.arpa
8.8.8.8:53

225.161.217.52.in-addr.arpa

dns

73 B
107 B
1
1

DNS Request

225.161.217.52.in-addr.arpa
8.8.8.8:53

88.140.162.3.in-addr.arpa

dns

71 B
127 B
1
1

DNS Request

88.140.162.3.in-addr.arpa
8.8.8.8:53

209.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

209.178.17.96.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
823B

MD5
0d437ad713f5ec56ed5334f9796f6a77

SHA1
cd4790dd1173e40b6e05e28d63d120ffe2fbc511

SHA256
aa7f7a59b6de1b87c47d12e79c84e7edb2fc8cf6748fc4f2eaba9644477d09bf

SHA512
abed5773aac2f85f22036d1cbc53261f9d3b6eae6242368c568292259f784c347de6ca6336f16da9707cb4ccfa4bc79450efe8f3e5cbe979a15a4c5b2cfa0717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
97fa20ce4b8e329213c821cdc0acf064

SHA1
7f3559125f6edb33ecd5dfc53fe3d533f5bbd763

SHA256
58688c17c08de7b9a43a2b93af145e3e85671c2b4fab7e088c051e7046466b63

SHA512
64ab916a441193bb20a2572499481849696443c60fe877ecd8f23ac2db49ad66b18f9321573986fba84480a8b7e0f4ad7469539014fb29cf31cae9cfb86298e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
ac52d60b9dec8de2b8e958dc822d1f18

SHA1
fd293791cff96d3cc5eccdead6f33e6177b4d8e3

SHA256
b9f56790cac9383b3cadb8827ef7f54153398186a17406f22adf359cc015217f

SHA512
5b9e637b6a34ea98a1e5645666e81383e05791fe72cbbd5371aa6993be0c56c0754bcd23e047a6c94b2465148b038b6f6e1510c0677ded48ee1b6005df1ff0e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.