hxxp://www[.]aiim[.]org/pdfa/ns/id/

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.aiim.org/pdfa/ns/id/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133342306661893472"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
1744	chrome.exe
1744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2888	4124	chrome.exe	86
PID 4124 wrote to memory of 2888	4124	chrome.exe	86
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2180	4124	chrome.exe	89
PID 4124 wrote to memory of 2576	4124	chrome.exe	90
PID 4124 wrote to memory of 2576	4124	chrome.exe	90
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91
PID 4124 wrote to memory of 2460	4124	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.aiim.org/pdfa/ns/id/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff843b99758,0x7ff843b99768,0x7ff843b99778
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:2
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=992 --field-trial-handle=1860,i,9432799690513272032,17105478980031961991,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
df334ada3e790c4beed729b5608cc823

SHA1
adf34023f8bd5257865f0db4724b623f6c202bd9

SHA256
77883c2edea10c0c6589cb12a38f6a7a26854cd5e49566e22509f5f439fb8f3c

SHA512
321c9d4993f225e964060857c1b568fd1f62cc5a8575c7f2044ac46034251ef809580c2690bfeca1c5f97399fbe8bda67088a3526a8d4fcdde9e6c896e777cbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
9f001bee3dbba45bf9822c16a26bf27e

SHA1
d2c919e4524a90bfab02a1805442b9cba1e6f645

SHA256
dd5ed8307dfc724b9913252ffd737272b35e741815171cb6a6f0a417b35ac9b0

SHA512
3e63821419ebe40f5406a399ff72af8f74efaaa2747bc199259aaae7abc88dcb70ec70553bc1e24f68febfebbb36d2cab257275695be7dcbe746050b029d7ec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
40c43540abbaad95fdd4020b300bfe51

SHA1
ee318762a1a2b8a04fc56fed73023de44593356f

SHA256
a1c416f24ea9e494fd12c903948fc1f6a49db5c447d57103bd7440122f0d553d

SHA512
f82b4f40a864c788b9c6949a5a9c62a8d4067ab8275f2fc1137384e441fb33173e671d3735a125fdaf33e5b233a704c9224901001311d33156e0d53f4ea6e14d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5b561255b05609ed6e8f9e7ac617f372

SHA1
cd85225658d6b29610c1c8d98a8bac014cffa866

SHA256
6d97e6c8626b151ee87b9ffdbc8bf6576f039ae69d01993214232fd73ea3f519

SHA512
b24fc83461a140c6ec707e5bdddc42d85218e7cc662720e2467fad2ce6519acbea7d5506f31c06fc30011934f370ef8acb164a085686cce1d850e6c36b28fe77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bf01bd9d5a532d782cfb7767308a5a7d

SHA1
0fcc5b2251b00a4ddccfa859d66a76a52d0b9202

SHA256
2e96588af241c1814c749eadd5a5a106a55a67dbc0881422736f6e08b9d30229

SHA512
62ffba3311ce30d00d1b18c92fbfa60f5d93725edac8ed4b248a4f360bfdaf32f9c1f08ba26ae7bd4b0b728e6795b7cbee92fdf62c007a56ee322fa750c01f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e629d429be7b89c2895d560a7b63c129

SHA1
56b22d4450d81acccec6905cb68106899e6e3acf

SHA256
b2d0af495275b1dbc7ae540702053547d7e1cd4e2001440cc7a3066866e861b0

SHA512
5cffd4f15d5b2765e244eacac409c5764127ea938932daf6039a25bba0d8fbb9a5c6ee0777d08cf6a62f4cf8af99d508040ab2ffcbfd50989f04c5d785421a86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a07e095c1310d1d5259c1af1b439e666

SHA1
ddbb4f1061bffdd77f567b01a7b044d692ee79e8

SHA256
08c68f742b43cbf348c3262180ead74a5774b160cbc51e7b09df6a0211702d86

SHA512
85c5d24d6d4217cd0ca37e9ea33ac986e9ce2adad97ebc4694797087128bfc289d2fc8c67a983de504273cf77fcc28b629f5f4f69bbdf0adbaf3c57bbbc23abe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
4e4d3e471764075549f5e90431d4dfcd

SHA1
053b89fe5634b221a9fdc55cc1114a75c8951849

SHA256
52bd52916d89e966d2e5a1da22a5ac87e2773f0e6e3e1eadf53cf50ecc9c4f62

SHA512
a2dd029eefda21b55f559ce9c67cbe1b2731ba9026bee447fcfaed056a9ac08a319f3f1f4773c65064636342dd9afc2d7ded80998ffa8bbfdb068405b9472779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit