hxxp://avdeelz[.]info/Webmail/52/Webmail/webmail[.]php?email=motor@mena[.]lockton[.]com

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://avdeelz.info/Webmail/52/Webmail/[email protected]

Score

3^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642841505286709"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exesdiagnhost.exechrome.exe

pid process

228 chrome.exe
228 chrome.exe
5644 sdiagnhost.exe
5644 sdiagnhost.exe
2328 chrome.exe
2328 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exe

pid	process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exesdiagnhost.exe

description	pid	process
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeDebugPrivilege	5644	sdiagnhost.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exemsdt.exe

pid	process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
3428	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 228 wrote to memory of 3424	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 3424	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 1612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5008	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5008	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 5000	228	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://avdeelz.info/Webmail/52/Webmail/[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad028ab58,0x7ffad028ab68,0x7ffad028ab78
2⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:2
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4008 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3404 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4140 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:412

C:\Windows\system32\msdt.exe
-modal "786506" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF8A10.tmp" -ep "NetworkDiagnosticsWeb"
2⤵
- Suspicious use of FindShellTrayWindow
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2572 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3404 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1692 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4336 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4736 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4700 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1868 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:5192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3400 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4980 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4140 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3188 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:5876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2368 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4920 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3348 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2348 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4244 --field-trial-handle=1896,i,7622695537311211094,17848238837780835481,131072 /prefetch:1
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:620

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5856

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024070105.000\NetworkDiagnostics.debugreport.xml
Filesize
69KB

MD5
6dce7518d899de9cb943ac38c7d0c1f7

SHA1
b14dc7412f777570d396b9724ef78c185cf7a338

SHA256
f06664994224969fbe02ac255fe2c0f38cd0cb4b2446da337367393eeb6bdeda

SHA512
4cb896bd0592a7f3919f8bdad709b858cc1754d6d63d6cdd1d0537ff1c1e6b75d48c37feaebee11fe52d674f3a71dda4e0933c8ef65143b526be48fc1cb71625

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024070105.000\results.xsl
Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
928B

MD5
fdbd5cab97300b15ce312e664ea7b0af

SHA1
3243d3178a286c7b5d1268860fb26bca20fb8058

SHA256
e6fd7aa2dffa5786edfa59b13cbfcd964a66a8dee35e598170d334e55390b7c0

SHA512
02d830ac3588ff45fbefcdb999fc2e4cb331a86c28d72f8105c04e150df6b9eedd6c9167ddfbad7b9beb182b7018b95393cfd12509a00d3d1cc7062920789085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
92e9c1c3ce8807edcd80657c01585ad0

SHA1
e2ca4baa6a476910e1a277bec88a330514529436

SHA256
f80f2abd6dea2287ec2c3b712fbc9d984f3d8cb921937ff4671c27c7c36ab36c

SHA512
60fe9b2071db3cbc30b17685f3fa53143205d8c91ba6414981ac66b147ecf50509a28987610c765b2dcd7be9d85f42e9deaf0c11450da736bffe14cedd79e26f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
c207b9aaa21e00b865feee7feaebd780

SHA1
4db62c56320f7e5038e99cf282ac0d810d9119f9

SHA256
a5c507b65a59028ea22295324c998f56246c7591deda6204c974cd856ba34a6d

SHA512
fe2e523d384b6e21da54f7be2d4b8cd10a019ec302ece60dd473c977dcc835d69290993e9aba29682c1bf45a5d71bf87d6e4d50850fe5b22fd7d741e6d5cd63c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1ee4cba95214551e454c298ff85545c8

SHA1
01c458afaca6d118742b808a2a3a9f60e239b590

SHA256
f3f29f01a8c3c2789ff8d8e9c9e560b033f00cdd34eeb0f83a509450487a3620

SHA512
88bd35467544840f23d29b02579947096474292970df6caa0b9a6816a5aa91069c1bbe3d15d31dc0e14271fa6e06c1cbdbe521b6457d5f95b2b51d73011e670d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f04bb45745a68c1fe0f0ab2218346d0f

SHA1
9b37b3a078f51e5a6f8fab2880c8957e025b9eba

SHA256
5ff166613f95d98847fc9e7e16fb7ca1d94e649500d809af317398b2723a0e30

SHA512
2310a93a4ed77d00b201777f30a05a3510d1301ddd3a5fd437ac8b635f779a9c27d90040c29fd1748488a0f6f9f9e77c0baaa17947a47c4e7376fa0dd2b2418e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
81ed908648a9f5bcef085c9c58462e53

SHA1
794484df6e39476ebcbde4cc18a9bde32a6f13b2

SHA256
5a38aa43e5c06a88f71f09b7e1be251b90fed91a3737e4c0743f6984db210ab5

SHA512
d464749b9471bc9aa5449ad2029f8f7350db931168467de65d9005637ff2605aec7ea92193f78edaeaa61b1f8ac736e9c536993d897493cb693e635aeeb4d63c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
9fb4488b55e16c83d81d6b293e79afe9

SHA1
24adaaa84a73e7ef105949afc07266d0d31ee56b

SHA256
3597764247e0ca5d939999d565de7987843f33bd6d15ca5f17954bc10a92d284

SHA512
6ede2e0ffb308e8771102776d73d244c1b77974a2228aebd349810de243f2a458853f636334a02b546949b4c1d11c57f032a8595bc9e37fee5b7827919a28f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
294ff0f62124e1e059677979a5f6b532

SHA1
f23e0f7e34f03e06ce5d032038222775ce3d1baf

SHA256
a1fd5eb654ec89df2a1b97dc7ed671ab29e035399784bb038ff8532095cf2859

SHA512
d922769fafd5ec65f2269552a97b7b83f5cdf65ca181a3b8c1e12d571562fdcd6822918c52260131636e0c2ca75a437ad631c11db2bb1cbe4cde67d1e357a919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
afa0e82b8afeaffb55b9568a13838696

SHA1
a9800629a7744152c93c31dfbc85760308d2cbd9

SHA256
c60b85bc34bb4989a20ef818f7ccf0b4278332c3fcee36aede0c821a9b00bb99

SHA512
f78a1ce0c097de84e31355f9a77084209fdb437ff1bb05d4daf80878bd479b79f2f43ea1198b1edf2b50e7cfd40708986a553c83939f889ff0087257a4323463

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF8A10.tmp
Filesize
3KB

MD5
58016fd0d373ea2233d05b91765365b9

SHA1
0b540974df6fb0359a5b8f88ee568242adeaaecf

SHA256
958398598335d748daeaac80095dc4c79dbb124d41804a91e966ee25279af705

SHA512
d899ed80bfd7b8e7f265e9afd599423370d727906d655dea4af26f464d63b623c620ad9c4be61518cec4af5f8165e3b16c9433d4a393e6f1bc369afae9c94af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oewjcgwa.rcr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\TEMP\SDIAG_407b4417-f23f-4428-baab-8e2404ee1c4a\NetworkDiagnosticsTroubleshoot.ps1
Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_407b4417-f23f-4428-baab-8e2404ee1c4a\UtilityFunctions.ps1
Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_407b4417-f23f-4428-baab-8e2404ee1c4a\UtilitySetConstants.ps1
Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_407b4417-f23f-4428-baab-8e2404ee1c4a\en-US\LocalizationData.psd1
Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_407b4417-f23f-4428-baab-8e2404ee1c4a\DiagPackage.dll
Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_407b4417-f23f-4428-baab-8e2404ee1c4a\en-US\DiagPackage.dll.mui
Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
\??\pipe\crashpad_228_VJHWTRELPVTICREB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5644-426-0x00007FFABE060000-0x00007FFABEB21000-memory.dmp

Filesize
10.8MB

Download
memory/5644-425-0x00007FFABE063000-0x00007FFABE065000-memory.dmp

Filesize
8KB

Download
memory/5644-496-0x00007FFABE060000-0x00007FFABEB21000-memory.dmp

Filesize
10.8MB

Download
memory/5644-406-0x00007FFABE060000-0x00007FFABEB21000-memory.dmp

Filesize
10.8MB

Download
memory/5644-405-0x000001576A590000-0x000001576A5B2000-memory.dmp

Filesize
136KB

Download
memory/5644-395-0x00007FFABE063000-0x00007FFABE065000-memory.dmp

Filesize
8KB

Download