hxxp://service[.]exmail[.]qq[.]com/cgi-bin/help?subtype=1&&id=29&&no=188

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 18:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://service.exmail.qq.com/cgi-bin/help?subtype=1&&id=29&&no=188

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377223487551937"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2776	chrome.exe
2776	chrome.exe
1880	chrome.exe
1880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeCreatePagefilePrivilege	2776	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3996	2776	chrome.exe	81
PID 2776 wrote to memory of 3996	2776	chrome.exe	81
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 2076	2776	chrome.exe	83
PID 2776 wrote to memory of 1148	2776	chrome.exe	85
PID 2776 wrote to memory of 1148	2776	chrome.exe	85
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84
PID 2776 wrote to memory of 3064	2776	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://service.exmail.qq.com/cgi-bin/help?subtype=1&&id=29&&no=188
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff989109758,0x7ff989109768,0x7ff989109778
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:2
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4652 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1876,i,8418253733695825137,2441432410010790649,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
8df56723466fd64b5d2badb688575848

SHA1
a47cf7afa1e5c6f178561a7a51285934ea39c28a

SHA256
557152e9efc039c0477f54ed48872126b760fc00c74a203553617fc754a740bb

SHA512
40c346cc19d617bfe94db65a424535d6e75a77df46945e0bc4e07dffe8a42005e102b4b9112bf36d96bcd5230671eff3fc99630a78046955665e5c67928ca324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
33503dcc20a3604a4d48bdf5fa6a5ae9

SHA1
b1cdff01eec5c4b5e10b3658a48b108d9c3fa99a

SHA256
5943156823ef84d7938cee26e1b9cef9785010f0a470d6e76db30442b0a0dd07

SHA512
4ff845c4af8ce4291139d797636b91aeec9fb3b71523b57126f388dbc09be2600ef688b5e8dd72fd6f631f66227cc37a17d78483fdd6169bbb43f664a50b5631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9f7c13921eef36d2d73387eacb0f74f5

SHA1
2e05271d8c81b7f09377708fdcf599523e58e098

SHA256
3292a29a0f4557754344e7ebe0925d69c8e8b6cd4a0ea6c45bdf691999dead61

SHA512
4eb38a5b27898b49b05c8b37e5f1b71d4279657ce771445b38ba5b3888f127907014799d1adcf87a0d7d858b4feeb207ac2e70800c2cabc614a80cff7b487066

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1036ee21d000ed1ce05e65d5d8185131

SHA1
e3be3e24c9b7c298e245a6929eb3b7b4493950df

SHA256
cfb7734f7ddbc0061b80c852de5c514fe2c02b78c84f1f9d65e6d1f4729f5016

SHA512
a1bcd333bd9ba2aa20996535eb60e7b643b6f152949c678824482ea02cb124e3b66f47960e6d84ec42125b7b5e80beea5f9a9451a92711520080ba051e863dac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
c7d3b9bf17fdb9aa7517e323d034932e

SHA1
70803b81554def5b95cb52670d9acee08d3ec5f1

SHA256
3a52ac97e83ee877f74b0e1e9aec747173f0dc9b680aaf718d45376399fcdac5

SHA512
d8a8bb31eef05f0f202d69085340b28b285aab291628949a3ecbc1ba4b7c10114cdc07d9328cf2065f6756e09fd3e0d36fe1c9af56b21f69036278e6b45774e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit