hxxps://www[.]google[.]es/url?q=queryl47n(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fsafrareal[.]com[.]br%2fyoya%2fcfnskh0bdv7n5lon5jlvj8d2byhgrwolao3pa/Z2FldGFuby5yb3NlbGxpQGFuanVzb2Z0d2FyZS5jb20=$?

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-11-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.es/url?q=queryl47n(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fsafrareal.com.br%2fyoya%2fcfnskh0bdv7n5lon5jlvj8d2byhgrwolao3pa/Z2FldGFuby5yb3NlbGxpQGFuanVzb2Z0d2FyZS5jb20=$?

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133761445721118913"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5232	chrome.exe
5232	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe
Token: SeShutdownPrivilege	5232	chrome.exe
Token: SeCreatePagefilePrivilege	5232	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe
5232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5232 wrote to memory of 5348	5232	chrome.exe	77
PID 5232 wrote to memory of 5348	5232	chrome.exe	77
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 328	5232	chrome.exe	78
PID 5232 wrote to memory of 1496	5232	chrome.exe	79
PID 5232 wrote to memory of 1496	5232	chrome.exe	79
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80
PID 5232 wrote to memory of 4628	5232	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.google.es/url?q=queryl47n(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fsafrareal.com.br%2fyoya%2fcfnskh0bdv7n5lon5jlvj8d2byhgrwolao3pa/Z2FldGFuby5yb3NlbGxpQGFuanVzb2Z0d2FyZS5jb20=$?
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9eb28cc40,0x7ff9eb28cc4c,0x7ff9eb28cc58
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4540,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4768,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4844,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5088,i,12233637072680818699,5993227330501731070,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9a2d176b-8791-49aa-9c47-188190b2121e.tmp

Filesize
10KB

MD5
ecde129e0ff3ae5c44e27a248a446188

SHA1
04033577b33a78b7d8b86e745afe861b3d613f1d

SHA256
7814d053a5b9179225c5ec4b7fe805d7c4c1c9db711e8ec396a90212885ef1c9

SHA512
2bfd28ffd7aa1cc6c77eed360831bf41e85f94c6bbb310c506f861b0819193f677959da9e3abe8b9920f78c57a0f871dfda76ec500d1ede63a0217871d76ab66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1d80b36258ff65b6b9a91443f5c52d9b

SHA1
bf805fade5dd0fbd7e62ce05a71b8dde6cfb50ed

SHA256
fd77ad30e99395079c67167b0ce7daa1359a11702492f0f1facc1e08774cc8f1

SHA512
238b36866e6753069a3ec8237b83effe68f8888fbd32ea0e4fb1b27bfa830ab8e3e7236b75a4fd7797d4371be7c9f58306afc6e401225bd9a40504656a3703c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
588e00f1468c9f7c8fc9bdcec53f3bd0

SHA1
15c054fd103ccf2041fb5b3ee13903c69105615b

SHA256
5ed2e70054bef2966d5d83e6e67878c10119e6eeecba3d4fab7e3c48f1a6063a

SHA512
1da16814019daeebd5fc86f3b2779b430fd31cbe8b2e6c720b12c1194fb52ed9b50b9654906ad7f464d6c980a0f15085e2a5293a3834f10a88c9a2b1827df6d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
fb4edee0eb45a4d0d5de4a203446c206

SHA1
483d35d9969c4732a9c677aff248a80fcd254469

SHA256
67fd13617a4e4a9e919960a83e19ce5eb1290e0a3e508780f943682aa0cecc0e

SHA512
6e331b6964b31e83a1eeb693dab40fe08fb3b710ef67aa13d68ba29cda6edd3b741fd56854590e2844826979c43902ca6c0b57e33764aad2706c25984c9ace62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
805e12b8a64b0872bcabb142775b2d67

SHA1
4dfdaaeae443a6647a8f7e3b7fb7f97a10f5a159

SHA256
4cd45f313bf2a6639609fe2363770c386947b1b5a4593ef811d18090d9b5ec6e

SHA512
b9d41e507a7d3a914ee75fb3553b144686d35ac70c24b60e8d2c816c655a95eeb242e302d4b3dbef4fb1d1e76097dcdbca9455c8f7724a0812a7965d3c028f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
96154aeac254ec90c001439fb83ecd63

SHA1
dd5b3a492b9b4016e9817c4944d7e73ed46e01e3

SHA256
6c86a33cf75fba4ae0d500e88136b18f5a3e04970048a714e232d890cca57dba

SHA512
173cc43e2e6984f6c8232c473d2568a467e3d7a69fd0df92d9fd36fdf1a0470b9846796db3041276d30b462e752788764c13baaf95f60bbaa4b938530ffbe8b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
441664732ac3e2ac4bb8f72c4620b5e5

SHA1
33b98fd41aa2521b385bb9d3b6aa805dd2217ad0

SHA256
ffdcac5a0217a589508908b795478c691abd1cce6bbdda512258228908c2fc80

SHA512
68a093da914fe933e8341c6e2fcba5d27a7532dac8e41ba5278a4fb3eac126beb9cd850ce16162c43fedea36fcb047272638d6006ec4454dce695819f77007f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7a34f25352fd6ec03edfe05d1599a62d

SHA1
153e47df595b3266560b39602dfb987eecf47bd3

SHA256
cd53fdf9069870b47e07915a622f4a199cefa5cf31cd48fea1d20ca6e7e2b24b

SHA512
fb3b04d47010df91ad2b23b272192a7c18c01d0be5f3c3c330f1d2e61d9343ef2cb4c6d6c058cec7059b139643d201afdc7219c6e8c3da5a7ad059405555ff06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
fca8e46d0aba10e63e2bebb13fa34ac7

SHA1
254505a767cdf3f0ab734ed245a110c3b4070f46

SHA256
afaa25e4e01845553b0c19d6848d68691921c4759682efb39cd3f4a80685e35f

SHA512
64961dfd92c317b4b47bc60dca9aae41a6e120b285e6bbe2d3ab976467087e8ded68726a2afd76a9ea9e853d484e3135826c1614aee66d6c329a5ee598878795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5c0494dd9be1ff5d3cd5d7f2df45f2f

SHA1
1deda15ac645c88e7fa9e53257c499e5236c9fb7

SHA256
0270be232b1e1856911f4e05afdf46419b30e305f8fc2cd8915660518d6e6d6b

SHA512
6c7adaa5bbee827c13094998d2ff085665984b65344fedbed6c679c2f5587d954392a8835fc39a1fa48e0e2cbf87a5609537affcd81e1dd244de95d23257e243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8aad2967818000bf10c9de85f532e733

SHA1
c0ffbc047b99fb9ee045e011f8ad79d00d61d162

SHA256
51c7239fb7b3dc7bb64e8abfdf5f5a62e0e93449357edba510256aca3ef118ab

SHA512
4a4f124acf157ac0a176568a0d3610b27c3571082b634e24722694a39462d741c36be1fd2af53dd1190bb28ab4327731b9a206ead7932e6e8e0773b8feb0df37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8409e50d79519efc6354707c12cd7b96

SHA1
e8903a5a28d0f7414be5965713953fb6fc31d179

SHA256
c1857ccdb71ed2c418d47370b094a8d358f0d5e09e172fa1e236002702d5b28f

SHA512
b03a627055b4595102ed2ec052786cf54335a0439b8fca24e1bd2fd33cf89581316653e43d1c19956277f3c476da65bf47f6061c06b1b8a8457b8b1c5a8ce98e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fae2fe9536e412d923af0d291ab7077e

SHA1
398054cd9d28098d62bb08f17494d0d749afd5f2

SHA256
35c112a5668462360fea2e15d4fc4261f68455adbceb197a5c2b162c76a1dc7a

SHA512
e2611c31184d4c9d25bef97793a6538004d9894528778a2f83a4339d317c399c420e6bf836077a8ce573b955ba979c3cbfc1a66bb0598296fc87737707f99817

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a0a836057e5581026b0e84960dae268

SHA1
4d46d7c388262d5e9290b67c56cafa6743cc463d

SHA256
98d6bc42c0350f8790b4d2154c1934cb70ae392a134b59a60c16be3155d07a76

SHA512
60261bb57129e4c308d1e7ff6e07db6129096b5b2b897a9248fc8f957e458848b792ce29259053c423f087a0d57f766cabe5358bf19696b858a663de51f10550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
798f9d76e8b3ea8983cca347ca32eab9

SHA1
c590f3735edca71888d2a76298970fb3abb6e0f1

SHA256
8051188ecd9e5a52740d8ce4cec6f37093025803b89ecaccee3e7146e4758e22

SHA512
215dbe7c1a293db0b9d43012fd7327f2ad9fae5ffc949f0b1c775a90b59e1ab91df98a4507704168cf4d4872be476f0d9d4e3cc2741998c6cf8562cb1cc952f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ee83d3cf68d203a637d68352a4fd508

SHA1
ad263fd84c42628d5d47eb6aafa0e027ccd03783

SHA256
4db42b0ed1b112030532c2596f8a5c91160c933b4b9653e80cec195a611eb5cf

SHA512
7441f3d05c151916b85cef071457ddd1c2c80377c73adcd072273dcc1531a0822553cc537887a8e4ee60e63c56ac729023025bf82274fe3b3a48d8b392a45f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e61f529048659b4d6032e6eb99c0cba3

SHA1
f278a069abf5bd3b74ba46db2afcb8ba51977843

SHA256
c930781601cc2eaa9ec006596e4ee924b2e298cda63599e523e0fdce9b3fd3a3

SHA512
47029ab4a2ab6fc63216c2be25b9901cd5f475b33376c91f7b82083929bbe86fef805eb4246028c8798febc870c037afb0630a892da825c5e44e4121e3be9319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
04f02ea083271510dfa6227854d2f2e4

SHA1
63caf829fb25c5b1016987296e6b286721118ba8

SHA256
5465035a51c5004568ba0b23c1efe525444ad1a606ae312e19acfd0a1f4d0277

SHA512
c547ea17ed83f665a551cafd384144573e139868119e9ba4055bda4c148fd3b9441f7950705e9e1f7f03ba865173aa35c746140431edabe205b5fdcd60f77d5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
b2a6e6d4d960d42100abe498a9696e92

SHA1
66aee9aabb2a685705b0c82d2529da604c9b5b1f

SHA256
278d6293cf0f34b6db8f01deee4d389fe329c5caf3628bf6064c408ff56d8e69

SHA512
fc9e4644df7458519bd60caa2c197099d3a5a9478c7edb5d249e4b260789f9e97f8ede7ffc702b09a8bb73b5c179e0a2bf28b6b7122e031311bad64d2091064b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
4713682c01485142d0b8fdf6fc22f5e3

SHA1
abb0a45f7de491eb1d24ad63c229eed4e707b605

SHA256
4c54f745484b3068a9e658dc8c5b7a0ce509bf7305b18bb46603e39b3089d205

SHA512
9d4a0dd9bdbed129be23a255de097a039c2e9a99ce5c69cab96848afdde4f9dbc526695d4550071d8b1674c8b7db70b580596f57917f0533462bd852dc4e7f9d

Download Submit