hxxps://url[.]avanan[.]click/v2/___https[:]/urldefense[.]com/v3/__https[:]/aus01[.]safelinks[.]protection[.]outlook[.]com/?url=https%3A%2F%2Furldefense[.]com%2Fv3%2F__https%3A%2Fwww[.]publications[.]qld[.]gov[.]au%2Fckan-publications-attachments-prod%2Fresources%2Fc03f3c80-d6d3-4381-99cb-8243c9780057%2F21_1300ft_assoc_incorp_f10a_v10_0821[.]pdf%3FETag%3D443563c456351988e58ac38c858f033d__%3B!!PUY2jUP3Fp7oEg!HYeP4SEkktwnU79K0gnEqW_WyhEG5Q6_vroLlk8hWC6PYSh69ZG3PBfR39OtSzOeAjfZjT3zRBaQQzCjKABt2MuymF7P6g%24&data=05%7C01%7Cregistration[.]services%40justice[.]qld[.]gov[.]au%7Cfe2cf4d6e42e419b0f2308daff1819a9%7C583ea622975d4befa1d0d1f9c139f8b3%7C0%7C0%7C638102777262780673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vFxJTLyUl7%2FppMWrE%2BfxFSWcItx4GngbWckBLw3CphI%3D&reserved=0

Analysis

max time kernel
61s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.publications.qld.gov.au%2Fckan-publications-attachments-prod%2Fresources%2Fc03f3c80-d6d3-4381-99cb-8243c9780057%2F21_1300ft_assoc_incorp_f10a_v10_0821.pdf%3FETag%3D443563c456351988e58ac38c858f033d__%3B!!PUY2jUP3Fp7oEg!HYeP4SEkktwnU79K0gnEqW_WyhEG5Q6_vroLlk8hWC6PYSh69ZG3PBfR39OtSzOeAjfZjT3zRBaQQzCjKABt2MuymF7P6g%24&data=05%7C01%7Cregistration.services%40justice.qld.gov.au%7Cfe2cf4d6e42e419b0f2308daff1819a9%7C583ea622975d4befa1d0d1f9c139f8b3%7C0%7C0%7C638102777262780673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vFxJTLyUl7%2FppMWrE%2BfxFSWcItx4GngbWckBLw3CphI%3D&reserved=0

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133373227687325407"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3896	1528	chrome.exe	63
PID 1528 wrote to memory of 3896	1528	chrome.exe	63
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1688	1528	chrome.exe	82
PID 1528 wrote to memory of 1548	1528	chrome.exe	83
PID 1528 wrote to memory of 1548	1528	chrome.exe	83
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84
PID 1528 wrote to memory of 3116	1528	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.publications.qld.gov.au%2Fckan-publications-attachments-prod%2Fresources%2Fc03f3c80-d6d3-4381-99cb-8243c9780057%2F21_1300ft_assoc_incorp_f10a_v10_0821.pdf%3FETag%3D443563c456351988e58ac38c858f033d__%3B!!PUY2jUP3Fp7oEg!HYeP4SEkktwnU79K0gnEqW_WyhEG5Q6_vroLlk8hWC6PYSh69ZG3PBfR39OtSzOeAjfZjT3zRBaQQzCjKABt2MuymF7P6g%24&data=05%7C01%7Cregistration.services%40justice.qld.gov.au%7Cfe2cf4d6e42e419b0f2308daff1819a9%7C583ea622975d4befa1d0d1f9c139f8b3%7C0%7C0%7C638102777262780673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vFxJTLyUl7%2FppMWrE%2BfxFSWcItx4GngbWckBLw3CphI%3D&reserved=0
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff03de9758,0x7fff03de9768,0x7fff03de9778
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1808,i,16321260549756273803,6910246472384693568,131072 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1808,i,16321260549756273803,6910246472384693568,131072 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1808,i,16321260549756273803,6910246472384693568,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1808,i,16321260549756273803,6910246472384693568,131072 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1808,i,16321260549756273803,6910246472384693568,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1808,i,16321260549756273803,6910246472384693568,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 --field-trial-handle=1808,i,16321260549756273803,6910246472384693568,131072 /prefetch:8
  2⤵
  PID:2320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
2c5fe20c77f68335300f56e02e82e87c

SHA1
a39e1cc4853f73d0f5020f86cd2c2ff6b2434732

SHA256
334a0224572dec0daa5d9568eba548731689ff029a22c71f374474934a2b12b5

SHA512
92064f61be8945cb201b31ca5bda7c8dfe3a089eb65b0032927d5bec6f519cd23abcb44b1b0008a5f280ac78ee15c991c8e6454558324d7d945a4002686abd26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
05c08e4a12371e370f30b4cce8d64264

SHA1
02d5771fac4d8ca6fdb35f7f8b3a254a434662aa

SHA256
2c6538b577aab36d47d388ce44f4658272c69f50617d123ae968d2d445f5daea

SHA512
180ba8820c40e17f712746f514d9317de2d005e222d6f6cdb21fbb30538544e59ab120b3a7e2b992ce1f3368fe35b977d3a5c11cc17baa5912b61683b6c1aac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a172aaae6bbd50805d6b24eeff07db2

SHA1
fee277f95e58bb06d23965e732b5d65c852a6e3e

SHA256
8aa2b7a909245743f104197d0e3ee9f9c4c8c134d50484b94d918246527edeae

SHA512
8608ca42a057dc5ea67db412f610163e136559f3551fe9423483f5cecd773bee1d2cf56b372781cb0e5004249928b30106141ca41c6b3c3814623b6a6cc0885f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
614bb4ebe571dc2a657eb984c0501062

SHA1
42ed4cb1799c348eeca2b93a061038e58dcaaeef

SHA256
fad14531ad3c867b876d495615d0b33313e0e6f6f7a55f919b08842592760776

SHA512
3ef2109b2dcfbd17edb4b55207c2b92fdfd0021f452678514f6cb43383a6dc9264b53bfa03d21e6e7f667bfe09b1ee2cf44555ca87bd427b2101a3e968a107a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit