hxxp://ha25sl1t29mg4lym4a01af4n8l[.]org

Analysis

max time kernel
301s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 15:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://ha25sl1t29mg4lym4a01af4n8l.org

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133373658028293018"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 4988	2756	chrome.exe	14
PID 2756 wrote to memory of 4988	2756	chrome.exe	14
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 2492	2756	chrome.exe	84
PID 2756 wrote to memory of 4372	2756	chrome.exe	88
PID 2756 wrote to memory of 4372	2756	chrome.exe	88
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85
PID 2756 wrote to memory of 4208	2756	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://ha25sl1t29mg4lym4a01af4n8l.org
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe60199758,0x7ffe60199768,0x7ffe60199778
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:2
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4076 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4032 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4976 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:1
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3004 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3332 --field-trial-handle=1872,i,14610015935882152583,15209259892295319413,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
56b6d5f23a555a48fba89c84ebb5ac03

SHA1
3b0d0f594d5087b6ac44d8ba2f86c8bb9af5bec5

SHA256
da23f313e0e29a50f55793ecad1cfe0fe0ad8308594ba8e84e3ac0546c0ddb32

SHA512
5e74c32e00a7cf156fe21868698c4b9ad56893692d231b6f6b15ceddf78410e2fbed12ad98fb12505bcd7984ba32d53f74508300147b73e5c3cf652ace066b06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d46607a34dd81d96ed5b1f77c4eb146c

SHA1
847a3c80b399482c74d58fb1abccc9b7c4423e81

SHA256
094018d746c0a96a10653f1bced1677ea321893089a305ec65be85278a40bbf3

SHA512
6559875726e3147cae97a13b4b54af6920c254f9e61e7e55a062c1143d0c6098efd812c07fdfc9c9e028c1de3f050e0d9e2d2878e3fbc3702327b7718178ccbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
669f6e2e539fb7e50e316768f3bd5359

SHA1
c2fe736d5e9858de74578323d89385486b6f3e52

SHA256
0298113798b7dfabc47a94f5db0ee39dff76b6a57feadd9750cb9c416de183f3

SHA512
81c8eda5a5bfd7f2b1247546a184326db2334bcfbf78853462a989ae0919a7411fb69563aae351a31437ff13fa0ad5c8175db69744cfbc19bfad8a21899eb503

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
99392e93b56878628154be2e138154e4

SHA1
5c51c478c04ce68edf7686245ed30f513b90b7e8

SHA256
58ea29f06c1a64f4e6bb06db61eb222ead1aa7865484f39f32ccba30f768aa04

SHA512
fc2bfc485d07cbf300b7dc1dd60b8d3510290cdec93924c326c8b614ede538fc560134766b33b8a8b56e770cd413b19c8e5b85a8eb466e0443199fb788c3d6bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit