hxxps://eastusr-notifyp[.]svc[.]ms[:]443/api/v2/tracking/method/Click?mi=hIkl8_x1cE6K7-90e2DtbA&tc=PrivacyStatement&cs1=c82d47811e53b8a5d2df6a9741f7917cd69193e9f4c927d352b0b09586ce4cc6&cs2=e904d62807d7d8a08355e9a7a50afb8d836b2e5907b97e0fba743b3318254399&ru=https3a2f2fprivacy[.]microsoft[.]com2fprivacystatement*5c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://eastusr-notifyp.svc.ms:443/api/v2/tracking/method/Click?mi=hIkl8_x1cE6K7-90e2DtbA&tc=PrivacyStatement&cs1=c82d47811e53b8a5d2df6a9741f7917cd69193e9f4c927d352b0b09586ce4cc6&cs2=e904d62807d7d8a08355e9a7a50afb8d836b2e5907b97e0fba743b3318254399&ru=https3a2f2fprivacy.microsoft.com2fprivacystatement*5c

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133246741882024283"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
3356	chrome.exe
3356	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3236	1952	chrome.exe	83
PID 1952 wrote to memory of 3236	1952	chrome.exe	83
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 480	1952	chrome.exe	85
PID 1952 wrote to memory of 2680	1952	chrome.exe	86
PID 1952 wrote to memory of 2680	1952	chrome.exe	86
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87
PID 1952 wrote to memory of 100	1952	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://eastusr-notifyp.svc.ms:443/api/v2/tracking/method/Click?mi=hIkl8_x1cE6K7-90e2DtbA&tc=PrivacyStatement&cs1=c82d47811e53b8a5d2df6a9741f7917cd69193e9f4c927d352b0b09586ce4cc6&cs2=e904d62807d7d8a08355e9a7a50afb8d836b2e5907b97e0fba743b3318254399&ru=https3a2f2fprivacy.microsoft.com2fprivacystatement*5c
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2e629758,0x7ffc2e629768,0x7ffc2e629778
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:2
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:8
  2⤵
  PID:100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4724 --field-trial-handle=1804,i,4939665000033861769,7166101084414135193,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
709B

MD5
3ba314e01a30afd0459f89f278407536

SHA1
e203b75ce5e3c03bb8c1b46e28834e47af3b8281

SHA256
b78ba4915f38458f017e953517439cc08d1b8684e955087e1e5bb7c026cbaad9

SHA512
0a9ad123367f7a3d2dfca7eafa802267a9c852bb1551e16e9d4206fd5afaff7702a4192d30da94d570a626338a2fbb19f7eae2718b92316a9ef9742aff5ec43a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a863891fab531270b6a47e515267c5c9

SHA1
8d5e20b0a78df07db4df7dcbde5c1e2c94410f3c

SHA256
cabe2384004801ed5f8f76b60ec8947163ed0aac2d02fc6fb46afd959bd85ce9

SHA512
15fc7f86b0b9468323e8c4c1ceacf3d668727480ba1dfc7c24d7238c7ccf9e5b35ca46b1bdfbad72e90e6a84f0b85c3d64f5f9cbeba2bf894cce60a9ef853941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c3579b51a77d2e6657e779436b41a06a

SHA1
10282e6f3d2502a20906e2755e7fc1505e1a044b

SHA256
2d9dee03a7671334f397c48a50165710fcd096072df530ad0ced1b4c6e4989f7

SHA512
b72691af88afae1a2ae244f342941ff86a638e7dd8f561b75ee512ab57dd98e53786156b21f26ad0689b358edfb6ec54e81fc323706b273fdae4bbe86ba99791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bddb3c5654beff3374d994a7217f2ab2

SHA1
0dda7e6664558cacf24c10dea4165b29baabeccf

SHA256
65683309fe6e0aa96f1bc848fb60199acb3fb48d33329b2605ff63501682ffbd

SHA512
d670df208aa6cd84194de14709139bacdced3e7500f4d60dc31bd53686b39c6e3c4b61eba40295d67f9bafe13082525ae1f8b22f5d41a9d961e705416a2a1f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
41c00b4c983b9bba15922cfdf2af0c28

SHA1
d1bbb2ab0c257178cc8488e52b08f52182b6acec

SHA256
5100d09b0165c13ffd67b0107e491cea2d7f214d45f789aa0f4ecadbdd8eab20

SHA512
82f912a3cb78e4d077d12071ca3955d1b865ef6409d50ea0d2167d45e6bfccfbee577242c2edbe8a2ba4270411713d24279cf9ef97c8acf8174373e5b131a9e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit