hxxps://attachments[.]office[.]net/owa/suspicious%40resolutionlife[.]com[.]au/service[.]svc/s/GetAttachmentThumbnail?id=AAMkAGE1MDgwYzcyLTZhYTUtNDgyMy05ZDQyLTljOWUxMjljN2RmMgBGAAAAAACEmunnZVhQQLHpqubea6wQBwBbzcY7x5R3QY9e2JhrbznRAAAAAAEMAABbzcY7x5R3QY9e2JhrbznRAALGGDJWAAACEgAQAA4yDqxXF3xDugrDIxNzer8SABAAYixEc%2Bjf3Eeavh%2ButxtxSA%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ[.]eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiN2M0M2NmNjhkNTk5NDExYWFkNDU5NDkwMDM1MWNmNDIiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayIsImttc2kiXSwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEBhMDExMjhhNC1lM2U0LTQzNGMtOGFkNC1iM2Y3OTExNjU1Y2IiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjExNTM4MDExMjQyNTU5NzcwNjJcIixcInNjb3BlXCI6XCJPd2FEb3dubG9hZFwiLFwib2lkXCI6XCIwZjNiNzA4NC1hNTZlLTRhMGQtOWQzOS1iMzFiNTY5OWQ2YzNcIixcInByaW1hcnlzaWRcIjpcIlMtMS01LTIxLTM3Njc1NjE2MzMtNDI2MDE4MTk4Mi04ODQxMjgyMC0yNzgxNDkxNlwifSIsIm5iZiI6MTcyMzA4MjIxNCwiZXhwIjoxNzIzMDgyNTE0LCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiaGFwcCI6Im93YSJ9[.]f6ryU6-KXsjWFfmPXApY0UUNjOmGl0LoWbhUmlcxFzdx9KWz9b1RWpYeqb5W3P-eFQY4QLnodvLMg2s2gCXrZUXNis-D8Be5trJ4MTtp1Po-goMHE7v7R_wdqlyLV4WK9sC2yGtwkbfY8VXYLN81rKED_6Qc8ptk5lfhDXsVMMGMGn0bXahPYkDQ4YohlcCqvaHR91u9bodcnKGPoecz8lqkTH3rtav68_Xdm_8Rg7NqHvQp_zHjLLN0MWh6FP9VVVn_FytWFdumXIvLqZrCzrw0VltBiZf6z70nerJHq-Q0d5gsBu3WZDL2169CwRrUTdnaif4zXhjNlTbzW7NmdQ&X-OWA-CANARY=bdvoVyJAlbkAAAAAAAAAAFBQ-oNNt9wYmmQNwdqsJMSpgzQNu-Oghtx9QnP9acYXoYtvNXTI_hM[.]&owa=outlook[.]office[.]com&scriptVer=20240719002[.]24&clientId=301EBAE1DE114286A470F45083003C22&animation=true

Analysis

max time kernel
40s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 02:02

Sharing

Behavioral task

behavioral1

Sample

https://attachments.office.net/owa/suspicious%40resolutionlife.com.au/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE1MDgwYzcyLTZhYTUtNDgyMy05ZDQyLTljOWUxMjljN2RmMgBGAAAAAACEmunnZVhQQLHpqubea6wQBwBbzcY7x5R3QY9e2JhrbznRAAAAAAEMAABbzcY7x5R3QY9e2JhrbznRAALGGDJWAAACEgAQAA4yDqxXF3xDugrDIxNzer8SABAAYixEc%2Bjf3Eeavh%2ButxtxSA%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiN2M0M2NmNjhkNTk5NDExYWFkNDU5NDkwMDM1MWNmNDIiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayIsImttc2kiXSwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEBhMDExMjhhNC1lM2U0LTQzNGMtOGFkNC1iM2Y3OTExNjU1Y2IiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjExNTM4MDExMjQyNTU5NzcwNjJcIixcInNjb3BlXCI6XCJPd2FEb3dubG9hZFwiLFwib2lkXCI6XCIwZjNiNzA4NC1hNTZlLTRhMGQtOWQzOS1iMzFiNTY5OWQ2YzNcIixcInByaW1hcnlzaWRcIjpcIlMtMS01LTIxLTM3Njc1NjE2MzMtNDI2MDE4MTk4Mi04ODQxMjgyMC0yNzgxNDkxNlwifSIsIm5iZiI6MTcyMzA4MjIxNCwiZXhwIjoxNzIzMDgyNTE0LCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiaGFwcCI6Im93YSJ9.f6ryU6-KXsjWFfmPXApY0UUNjOmGl0LoWbhUmlcxFzdx9KWz9b1RWpYeqb5W3P-eFQY4QLnodvLMg2s2gCXrZUXNis-D8Be5trJ4MTtp1Po-goMHE7v7R_wdqlyLV4WK9sC2yGtwkbfY8VXYLN81rKED_6Qc8ptk5lfhDXsVMMGMGn0bXahPYkDQ4YohlcCqvaHR91u9bodcnKGPoecz8lqkTH3rtav68_Xdm_8Rg7NqHvQp_zHjLLN0MWh6FP9VVVn_FytWFdumXIvLqZrCzrw0VltBiZf6z70nerJHq-Q0d5gsBu3WZDL2169CwRrUTdnaif4zXhjNlTbzW7NmdQ&X-OWA-CANARY=bdvoVyJAlbkAAAAAAAAAAFBQ-oNNt9wYmmQNwdqsJMSpgzQNu-Oghtx9QnP9acYXoYtvNXTI_hM.&owa=outlook.office.com&scriptVer=20240719002.24&clientId=301EBAE1DE114286A470F45083003C22&animation=true

Resource

win10v2004-20240802-en

discovery

windows10-2004-x64

9 signatures

150 seconds

Report Analysis Logs

General

Target

https://attachments.office.net/owa/suspicious%40resolutionlife.com.au/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE1MDgwYzcyLTZhYTUtNDgyMy05ZDQyLTljOWUxMjljN2RmMgBGAAAAAACEmunnZVhQQLHpqubea6wQBwBbzcY7x5R3QY9e2JhrbznRAAAAAAEMAABbzcY7x5R3QY9e2JhrbznRAALGGDJWAAACEgAQAA4yDqxXF3xDugrDIxNzer8SABAAYixEc%2Bjf3Eeavh%2ButxtxSA%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiN2M0M2NmNjhkNTk5NDExYWFkNDU5NDkwMDM1MWNmNDIiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayIsImttc2kiXSwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEBhMDExMjhhNC1lM2U0LTQzNGMtOGFkNC1iM2Y3OTExNjU1Y2IiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjExNTM4MDExMjQyNTU5NzcwNjJcIixcInNjb3BlXCI6XCJPd2FEb3dubG9hZFwiLFwib2lkXCI6XCIwZjNiNzA4NC1hNTZlLTRhMGQtOWQzOS1iMzFiNTY5OWQ2YzNcIixcInByaW1hcnlzaWRcIjpcIlMtMS01LTIxLTM3Njc1NjE2MzMtNDI2MDE4MTk4Mi04ODQxMjgyMC0yNzgxNDkxNlwifSIsIm5iZiI6MTcyMzA4MjIxNCwiZXhwIjoxNzIzMDgyNTE0LCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiaGFwcCI6Im93YSJ9.f6ryU6-KXsjWFfmPXApY0UUNjOmGl0LoWbhUmlcxFzdx9KWz9b1RWpYeqb5W3P-eFQY4QLnodvLMg2s2gCXrZUXNis-D8Be5trJ4MTtp1Po-goMHE7v7R_wdqlyLV4WK9sC2yGtwkbfY8VXYLN81rKED_6Qc8ptk5lfhDXsVMMGMGn0bXahPYkDQ4YohlcCqvaHR91u9bodcnKGPoecz8lqkTH3rtav68_Xdm_8Rg7NqHvQp_zHjLLN0MWh6FP9VVVn_FytWFdumXIvLqZrCzrw0VltBiZf6z70nerJHq-Q0d5gsBu3WZDL2169CwRrUTdnaif4zXhjNlTbzW7NmdQ&X-OWA-CANARY=bdvoVyJAlbkAAAAAAAAAAFBQ-oNNt9wYmmQNwdqsJMSpgzQNu-Oghtx9QnP9acYXoYtvNXTI_hM.&owa=outlook.office.com&scriptVer=20240719002.24&clientId=301EBAE1DE114286A470F45083003C22&animation=true

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675561455602009"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
184	chrome.exe
184	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
184	chrome.exe
184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 184 wrote to memory of 5112	184	chrome.exe	83
PID 184 wrote to memory of 5112	184	chrome.exe	83
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 2808	184	chrome.exe	84
PID 184 wrote to memory of 1984	184	chrome.exe	85
PID 184 wrote to memory of 1984	184	chrome.exe	85
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86
PID 184 wrote to memory of 2672	184	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://attachments.office.net/owa/suspicious%40resolutionlife.com.au/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE1MDgwYzcyLTZhYTUtNDgyMy05ZDQyLTljOWUxMjljN2RmMgBGAAAAAACEmunnZVhQQLHpqubea6wQBwBbzcY7x5R3QY9e2JhrbznRAAAAAAEMAABbzcY7x5R3QY9e2JhrbznRAALGGDJWAAACEgAQAA4yDqxXF3xDugrDIxNzer8SABAAYixEc%2Bjf3Eeavh%2ButxtxSA%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiN2M0M2NmNjhkNTk5NDExYWFkNDU5NDkwMDM1MWNmNDIiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayIsImttc2kiXSwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEBhMDExMjhhNC1lM2U0LTQzNGMtOGFkNC1iM2Y3OTExNjU1Y2IiLCJpc3NyaW5nIjoiV1ciLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInB1aWRcIjpcIjExNTM4MDExMjQyNTU5NzcwNjJcIixcInNjb3BlXCI6XCJPd2FEb3dubG9hZFwiLFwib2lkXCI6XCIwZjNiNzA4NC1hNTZlLTRhMGQtOWQzOS1iMzFiNTY5OWQ2YzNcIixcInByaW1hcnlzaWRcIjpcIlMtMS01LTIxLTM3Njc1NjE2MzMtNDI2MDE4MTk4Mi04ODQxMjgyMC0yNzgxNDkxNlwifSIsIm5iZiI6MTcyMzA4MjIxNCwiZXhwIjoxNzIzMDgyNTE0LCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAYTAxMTI4YTQtZTNlNC00MzRjLThhZDQtYjNmNzkxMTY1NWNiIiwiaGFwcCI6Im93YSJ9.f6ryU6-KXsjWFfmPXApY0UUNjOmGl0LoWbhUmlcxFzdx9KWz9b1RWpYeqb5W3P-eFQY4QLnodvLMg2s2gCXrZUXNis-D8Be5trJ4MTtp1Po-goMHE7v7R_wdqlyLV4WK9sC2yGtwkbfY8VXYLN81rKED_6Qc8ptk5lfhDXsVMMGMGn0bXahPYkDQ4YohlcCqvaHR91u9bodcnKGPoecz8lqkTH3rtav68_Xdm_8Rg7NqHvQp_zHjLLN0MWh6FP9VVVn_FytWFdumXIvLqZrCzrw0VltBiZf6z70nerJHq-Q0d5gsBu3WZDL2169CwRrUTdnaif4zXhjNlTbzW7NmdQ&X-OWA-CANARY=bdvoVyJAlbkAAAAAAAAAAFBQ-oNNt9wYmmQNwdqsJMSpgzQNu-Oghtx9QnP9acYXoYtvNXTI_hM.&owa=outlook.office.com&scriptVer=20240719002.24&clientId=301EBAE1DE114286A470F45083003C22&animation=true
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa08dacc40,0x7ffa08dacc4c,0x7ffa08dacc58
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1232,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2016,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2084,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5064,i,11304838588879993139,4815479599402211405,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c49629d6e236aea6984d6992cb204c7d

SHA1
49917b59ccba2792c9e4dd05ea86f44fc859c28c

SHA256
35e8c7de307434ebaee731bf74a805f24c003918a484ea0c81fcfc077fe69cef

SHA512
49c40a787d6678c67c94180ecd5b311ddd02761e1ffd7f5266ab638a12aeab919a5fcd1a584a75ddbb6735a804776bd14e608b3a68c54330777cd92d774030a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
c9f89d9bcd01db6527f289716f130613

SHA1
b767be5326edf814a13e6e5d43d7f75d79200077

SHA256
a2f9d84404d95cecc95f03f71593d52ecac8aae261844da83fcf13ec48719639

SHA512
11883fae2894a68104f643a72f4c8816bc38a043eb5c258dd443ef1db168d5a4b1a2c414ad0d15d09d7209cd3770e91c56a6dca21d3ac19111da5143d98bf361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
ae088df28de8b07f32f23d0043b7f11e

SHA1
a0084e92583416e84aff0bb3da4a5c479cd18284

SHA256
546ddba244695d3e4cb427bbd3c37f20598b05fa7f99048427cd8c4ce1011499

SHA512
6aa79d3940b2c44159998a1b7cb803e9572b16d0df766cf3cbe0a52a236961e1ef41e28373b6a8401b44e3d36280a9b166532f3ccce7d7c07b5cf4ef71d8f3eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
40cc4750d01d86402969fc2fd1b40265

SHA1
df426a89e126f0fe8c8a001b759404211c931040

SHA256
6844eee9c6938cc13c0d5a8a9b1320afbc132382f516a69f7224ffd8c7ef8fff

SHA512
7453adf5598a446894929f151d5baf31f5630ae265af443096220ad3df218bd853f3e73711c0027a4a92a7539abfd4a9e4ba466ad2f7a967343d77f96e2c07f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bb6ca88a12e1b811d413e317bb496146

SHA1
d06a83f6180a32a3d68c72fa496724888efc7984

SHA256
6bf92e3431868e2177cfbaacd9f1a4470a612566840af937aac12781261fcda9

SHA512
3124b4008e6109117a5fa8d9e6f0850e6fe8f13b1fb41face27fdacda2b4c7e7c12828de5e4aa5d7efb6b04208eeb074a342d0001534635fa8e9075862095bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d0fa0e60181624a718df6c652854e9ee

SHA1
507f67d4786ba126e91479d473c0e6ddf5defcb1

SHA256
5fcb51545c1e146b950621594107b62768aaff69f393def27363947ae987ab4d

SHA512
2e8fa63a4dbd891d17b0a5a4559505485a8a0f3b63238a65fc05bf50224b7ec70bcd0fe30fbcdb425c41194d50387653b50519b8beb16f73e7b3a8a4ac9312a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
18881158805cd17f84b46134e81de97c

SHA1
f63531e517687a503efac181e6891a60872f67bb

SHA256
4a9007b72a16081519ba1e9c3ba25fc93e179cf0dbb7b0d697ac1f0c7ca8e4e2

SHA512
9e832670676b63ee42f547618af6299078db516de512333b42670db90b145f546051b36f6a70ab86c833f6e728236a4ef50847f20f623af8a1a49db8d141aa15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ed87558d591819959ce05c9c82c958b8

SHA1
270e360c54f53c68fca9bbd655ed6f8d5f8b4cd1

SHA256
c9f06c31760276677c0d372b807c5266a3aae574dca9e7105774b47d0820980b

SHA512
7851a09dfecf304b6be3f8c2ca356da10e41afa282a7c87401e2aa492e48ce91e77dc0e5fb220e8af2ab6dd95dd2e3fa837ddc8927bb2767303fe7844c2562bd

Download Submit
C:\Users\Admin\Downloads\41d95fea-3a3b-42c5-9931-75f946dcfa01.tmp

Filesize
75KB

MD5
aba66e84af4481cdcd3e2a5300ca7c09

SHA1
ec25c72812989687d3ad2e4dde633f5b174fb80d

SHA256
4dfc7bef6fc44b139e15978ef9199801d086169b55608b15b7ea3325e22910dd

SHA512
42c4421cf07a1111637964682c2dc06d95ad3a69122e99f5bacfa7b95fe16516b6ebc7fd917ac1e4bed3d329ebbc03abf2e592a97136c2684f50458855144e4e

Download Submit