hxxps://pub-5e34bcda437b499399d6abc116886480[.]r2[.]dev/indexR[.]html

General

Target

https://pub-5e34bcda437b499399d6abc116886480.r2.dev/indexR.html

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133373720315724262"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3292 chrome.exe
3292 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3292 chrome.exe
3292 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3292 wrote to memory of 2244	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2244	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 2648	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 1992	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 1992	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe
PID 3292 wrote to memory of 4856	3292	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub-5e34bcda437b499399d6abc116886480.r2.dev/indexR.html
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa5f489758,0x7ffa5f489768,0x7ffa5f489778
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:8
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:2
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:1
2⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:1
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3752 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:8
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:8
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1764,i,10632559619886226848,12367126105313201814,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8
1⤵
PID:4596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
168B

MD5
319ca316ae3b4cdd19289b9ad524eef1

SHA1
a1858b9bf63770487448f67a2a27fdfa73bd3d88

SHA256
16d539a40e643abfe04984388c606500e11b35f975d24bb93f728059a9a2ce6b

SHA512
562ae706be4605e4ef9023db2a2c632941c53a6a0883f2bc9d767601ebd1f9cbe55ada9e474a6517991c8e17d81e66d9e35b67c303d454b7edbdd4b20337af43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
cddce06b6a26d9a9e24b831add782ac7

SHA1
2418898847aab912da78d4a790133a0ebcc69a9b

SHA256
a1d5af515d08bc5966fe411f907e4ea353ea833f8c9aec072f343590af33585e

SHA512
88a73efd979b5f60cc5a363466e69eec5169c2f8410d4557e131800f1f381ad90eb8a724ce83428534d9b61fcd03fff72802d8c10b69ab64318d38e510ab88b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3d6d3c2a22f105a54d7fc477513de799

SHA1
103a0d6691935f6430edd96de00f40764bf591fe

SHA256
b3223ec4d68fc8d87126d2baeba6a1c8314ab52834e67de0d3ae839097d518ca

SHA512
2f88ac8e8f42c7797ffc1ecd6bd215aa19f71ebbb0b964d5fe984ff2e24c79b8238b771a7e3a473152905e647b5464a205f7fe58ee7f9fe3c3ae6781da2d636e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ce4dee46f9b8abe8d045bc9f9055b77a

SHA1
31a9f8446ff6706acd76917232288ec3e0a1a895

SHA256
cb604b5506004f4495162242ced8bf786c199fb42ec98a78f416056fc3b7ef04

SHA512
4d250c7402c0b3a1c230e5b08b90c606927783015f6d4b4922c4b5827ed73826c10131a2c6500b447819b30a4350c7e9833f3ed1d1b03d467518f5dfd633ea50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
87KB

MD5
4798ad52164e74b0cc042d7545efac64

SHA1
bb45ffddea8727840d2a20c44b11edc0d3019007

SHA256
0d4b19316fc7e8d38933b72c44a87a3f659cb563a5937da8ac2bc6a81268651c

SHA512
011db0d17eeccb7afd7be8045b86fc47088527660e0503abf54b7d2954645aa1aee8713ea784014eae8c8234a3d0b59eff9796a2581292cbed13c5ae2adf827b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3292_KQWTEXKYFDKSYODH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads