hxxp://dsl3-128[.]1scom[.]net

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2023, 20:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://dsl3-128.1scom.net

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133355695737694194"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
2920	chrome.exe
2920	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3968	1164	chrome.exe	58
PID 1164 wrote to memory of 3968	1164	chrome.exe	58
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 3480	1164	chrome.exe	87
PID 1164 wrote to memory of 4424	1164	chrome.exe	91
PID 1164 wrote to memory of 4424	1164	chrome.exe	91
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89
PID 1164 wrote to memory of 5076	1164	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://dsl3-128.1scom.net
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfecd9758,0x7ffcfecd9768,0x7ffcfecd9778
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:2
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4716 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3280 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3776 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=212 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3352 --field-trial-handle=1960,i,13418286584034281495,16598600403191207337,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c59e64a6c24ced35b719603be9deb3e8

SHA1
da2233620ff75ca5a9d1f3006e245fbd2f160c63

SHA256
882ddadcd531e2e2e65f1f5ae1446a778f14d8cefbffabd265111dcf9debbfdc

SHA512
5df07d04c45dc6f3edb9698cda494bc926b616f8943c6e04711724aa8ad240be48cb7eee4c111f75169dce6ac3495d1fb9460e30c900cca7b5000b889bef1132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d83d789b3406d7773f6ca640ee5a749c

SHA1
205e217bc132a1a0380023e1f143432407b5c40c

SHA256
7f4f553bad45813aad69cf815970597e0276141f028275865b146271d5033973

SHA512
863b70f4fc8940dd1b883e8f3cbe36d703ccd9badfd6f9af54da67f9d52a26a53609199efa60a2bcd79c63aadb6a10b1be96e25bfc8ca71986c5d94a66054e14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
13b40ab91e977a5cd0979471c20365fd

SHA1
e70746f3a0dba45d2e361a79f522d0245a40543a

SHA256
77b9190152c98e266cf5a56ccacb0e59eaa8383f8cf6c114d675ed5f96a02fed

SHA512
f207cd00bbaf638c204be6b76c5b7e7b98442f1419ad4dc42070834fe72e796898e60fe544718000de1e847ade03309f67316e4ecddd34a042692805f2d2a5d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
070f20eb4eb561da1b3419bb7f6ce993

SHA1
96a596c2237c72cf71a639556ffbdbdac6f9b771

SHA256
22cecfced0ad4565664494bed07b1c408054aec3bfcc89ddb327f281f0a8b6ae

SHA512
fe1fd92ac4c39bb3b9f3d078a5ca226870453e0d3fa15e59e60ec9cf414e6565423cf8faf902cd7cabfcf63e19956df0279ddc8a09d6b754a6f458eee27392cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit