hxxps://click[.]email[.]active[.]com/f/a/5ce5bO7Re7LBTWZD0_HQMg~~/AAOtGgA~/RgRmvkWNP0SCaHR0cHM6Ly9jb21tdXNlcnVpLXZpcC5hdy5hY3RpdmUuY29tL2VtYWlsL29wdG91dC9hZ2VuY3kvRkI1RUZBNjQtNzdDRC00MkQ4LTg4RTQtQjcwQzQzM0IwRkE1L2M2YmQxYWExLTU5MzYtNDQyYi05NDFkLTUxM2RhNTI5NzMxOVcDc3BjQgpk1KDA22QBWbO0Uh5rYXJlbi5sYXl0b25AZmlyc3RjaXRpemVucy5jb21YBAAAAAs~

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://click.email.active.com/f/a/5ce5bO7Re7LBTWZD0_HQMg~~/AAOtGgA~/RgRmvkWNP0SCaHR0cHM6Ly9jb21tdXNlcnVpLXZpcC5hdy5hY3RpdmUuY29tL2VtYWlsL29wdG91dC9hZ2VuY3kvRkI1RUZBNjQtNzdDRC00MkQ4LTg4RTQtQjcwQzQzM0IwRkE1L2M2YmQxYWExLTU5MzYtNDQyYi05NDFkLTUxM2RhNTI5NzMxOVcDc3BjQgpk1KDA22QBWbO0Uh5rYXJlbi5sYXl0b25AZmlyc3RjaXRpemVucy5jb21YBAAAAAs~

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133366005299278302"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
3904	chrome.exe
3904	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3960	2512	chrome.exe	33
PID 2512 wrote to memory of 3960	2512	chrome.exe	33
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 4260	2512	chrome.exe	84
PID 2512 wrote to memory of 1960	2512	chrome.exe	85
PID 2512 wrote to memory of 1960	2512	chrome.exe	85
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86
PID 2512 wrote to memory of 3272	2512	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://click.email.active.com/f/a/5ce5bO7Re7LBTWZD0_HQMg~~/AAOtGgA~/RgRmvkWNP0SCaHR0cHM6Ly9jb21tdXNlcnVpLXZpcC5hdy5hY3RpdmUuY29tL2VtYWlsL29wdG91dC9hZ2VuY3kvRkI1RUZBNjQtNzdDRC00MkQ4LTg4RTQtQjcwQzQzM0IwRkE1L2M2YmQxYWExLTU5MzYtNDQyYi05NDFkLTUxM2RhNTI5NzMxOVcDc3BjQgpk1KDA22QBWbO0Uh5rYXJlbi5sYXl0b25AZmlyc3RjaXRpemVucy5jb21YBAAAAAs~
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc19759758,0x7ffc19759768,0x7ffc19759778
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:2
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:1
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 --field-trial-handle=1872,i,3512023416460866229,2062474656979024068,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7247128388aaa7dcfe6b244832071b69

SHA1
5e21e822ef18e6e977817d0d5e476c27c76a6fd2

SHA256
8ae5c6797418317428d8bddec47d4beb984ef64b75fa7740ffe53544bca4b14d

SHA512
0cd066894d6bc4a854b7af60ef4aa4c61529521d1b31a7c58410a505688d3714d8c99deeea6b7a62b89a2ce4023b7261cf4b53fcc492a26ebe5bbc69ff65c4b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c1f52750d0271c4e352b28e76cd75b81

SHA1
a41ede94df970ed06cf5a9f1de58cb7c4b830a3a

SHA256
6c00c4501117b523603f3da8e4aebfe0705188d08b45c315f72abc911f9ce519

SHA512
4f20c8d2b0aa4da8de8ff3734c1fa3b342443c5d7133ec0ddf723fd01d945864e1da8776a412234fb836c2b9a63860c72f8b547a6fc883ae38560c2a97cd902e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fc5a4db5201a62eab4ce047fe06d633c

SHA1
c185fadcb8e22b2b68c44466b9e4d697cd226ab0

SHA256
bf065b225662746a1f939e3f7c68eeee2c2e2086892d55ce135e99f84b87d74f

SHA512
053d640588bf60a24e3c7d0d7fd97879093d50583b6fb52714421c58d0bd2cc6396702908952a525540300f56fd560477e4f2936542fe64041d95481105febff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
4b2865acd2a8c6683565382838dd09b4

SHA1
00bfff3bcbb40fc8d9ba9439f9c91ac55bb34c6b

SHA256
add68cac7eaeec8eb3988764c909c4af1f858d34ec2cb92bf2a37b0bb0957e79

SHA512
82accc3413b60e88f678f1ee13c142d1e0b043ec821485e131a254df4f8cce0229053b158e3ee994c3c0c948a3551968ea03cf067ad159fe960683a937959fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit