hxxps://fra2[.]hostclusters[.]com/%7Ewmalprazo/TRCspanREACTIVAR

Analysis

max time kernel
1199s
max time network
1088s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
07/08/2023, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fra2.hostclusters.com/%7Ewmalprazo/TRCspanREACTIVAR

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133358846857170899"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
660	chrome.exe
660	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4492	4364	chrome.exe	69
PID 4364 wrote to memory of 4492	4364	chrome.exe	69
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 2428	4364	chrome.exe	75
PID 4364 wrote to memory of 4484	4364	chrome.exe	71
PID 4364 wrote to memory of 4484	4364	chrome.exe	71
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72
PID 4364 wrote to memory of 4176	4364	chrome.exe	72

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://fra2.hostclusters.com/%7Ewmalprazo/TRCspanREACTIVAR
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe8eaf9758,0x7ffe8eaf9768,0x7ffe8eaf9778
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2836 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2828 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:2
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4988 --field-trial-handle=1772,i,16002414260095485546,3284005132307326142,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
858B

MD5
87c8836b808919fc945dd20e1da20ce0

SHA1
f466b25bc4baa9ea39b804bd990b2b1f9d2bc308

SHA256
570f4964a3fe3b28033d5bba6856ab6e4db820308555d0140e0135f8eb47bf18

SHA512
8d70d7f0c1d401b069e9afd09c40168be163f719783c74b1a1091d645e3344e875aee6a04cf90c1ea2acebe0a9443da289dd019e18becd0b837aadfe4b9d92b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
dc9451b5985b78f0099ad79ecfc34aa4

SHA1
b734ebd0fe9c2490c73effbc9086af6823ba48d2

SHA256
04447c26f661d6f1a6ecd2553e4a4a7a4a195ca31a8c9ab79c3c92d8ac4002d8

SHA512
cacde59f25f07385e09ff23eb445d58234d468e34abfb5079f101249db19c97393b65a55df23cd6c61fe042ff46b65db2d2ec3576c1f6de6b81730476f84bd88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
995e2bedb6eb2300e77105fb67b3c241

SHA1
dd321164e519313e11bddf5b120496d37e2f3578

SHA256
edfb89474367915631b5d5f09689d637f698e28293a8d91471aac1e1f72755a5

SHA512
124a500c39913f670e8c5e70190cffe393aa832bdc0b14935112b5d8f1220f6a09f456024892795871a8253bf899f27259a9352d43401770c399d61f32c74218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
576df2654c256f829d36540232ef94ed

SHA1
1b5e5909dfbc8f4aa5bfea41823dcde055ab6187

SHA256
ad45cbc5a9709725d616a348431ecaff0795685b1c78772fd255ac18769c2e7b

SHA512
57933663468c55a2e5a988ef12d9fd94007aab4405788c14a97166ec725148c41e2b64da100ba9727e24640c0cef8752dcd1c55fa9f4ca138b7b8e648b9a6502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
edc3eba5fb407daa4aaae585423fed7b

SHA1
54f57077ec829ee4ea8451027c20f9472899bc31

SHA256
d273ec06069681cb34b768744acbde33f0004b71b0d6adfc3dea66c960bdea79

SHA512
50ab0a06a97b9915fa4f2b23a93c5c61f3afdf861afa717932a554bfcdce2f5eb671377ea35c9ecb4aba0c17cd6163b7291e83f98228a8436281575b50942933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
6cf91641d13f70bd34838f76e5aef7f3

SHA1
07117e99d95020fbcb7fa3330e53944aa2394138

SHA256
13d9f274410ee84f09a9bf25bafcd7819965e6c3b325527d78e430c745f7a4b7

SHA512
9654f19e22df44871cd9de56266e241cd7ffaebf51bb3c5566a3e17ade7dc25e0af58c4ba5ed5572a13574339438c1b89160042ef4e38634a3244e7f9698c453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit