hxxps://survey3[.]medallia[.]com/?epw4kn2dv3zrrfrsfyb9&reject=begin

Analysis

max time kernel
300s
max time network
307s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
29/08/2023, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://survey3.medallia.com/?epw4kn2dv3zrrfrsfyb9&reject=begin

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377440354877865"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4412	chrome.exe
4412	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2784	4820	chrome.exe	70
PID 4820 wrote to memory of 2784	4820	chrome.exe	70
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 1080	4820	chrome.exe	73
PID 4820 wrote to memory of 4568	4820	chrome.exe	72
PID 4820 wrote to memory of 4568	4820	chrome.exe	72
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74
PID 4820 wrote to memory of 4544	4820	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://survey3.medallia.com/?epw4kn2dv3zrrfrsfyb9&reject=begin
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff92fd69758,0x7ff92fd69768,0x7ff92fd69778
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:2
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:8
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4412 --field-trial-handle=1824,i,3378894644345900789,15053951651549238672,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
aaf24cfb493178be6c5a1976ed70d70c

SHA1
40d7ab5101465eb905e66a5d16fe38eff34aa3b4

SHA256
bb13619f8f27b6ff7f2800cfc68c49f442e8e14b14b4820b1d4fd9aab2f58fad

SHA512
a5955cbc6162b2b455217773e222f8ae2dce3220e7f28f837184d563dbcbac1c6f5cdf57e6bc6b063163588e71d1ce500d81d6acf0d226f3a10521eee10c26d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e013ba39728973861e23a9747153a1d8

SHA1
e78b5df5fbce857bd9182ccc213729a08e7ad070

SHA256
4757cd88cb147dde943fdf3c9f6443837eee316b82b24da131c3e3da7c741994

SHA512
86c09c19001ab4f6eaa7a16dd3e29eeca2056c7348bc44d24c98f74d7c3146431f428ad1ebb268780088ec614eed20708fbff68c5df85e1a72230a2f130dc773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
fbaa6a22148991ab9d3035a13768443a

SHA1
6d5414e53b8e665cc3bf24eb2ae7ba107fcab6ff

SHA256
53623d157ab6f24fa147204407abc62e65a6f840d22c1168a72bfc4375f20173

SHA512
31aa25d6a79563dd36d6836f88eacf9bb886e9b62dae6b6cc01eca589203c098e1f949c80185c350d6fc51c05be5424119bf89e512d09745656cc2ac7bbbb872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
00d62734fbd42de35744fad3fdd70157

SHA1
d498083c55100e58087160a15914f2a1876d6b17

SHA256
3c08d7aace593ba7d0e1878ab4fd6c6cb8170143090e44a2205dfbff28958d57

SHA512
be1714dbf8a12f5eb4d9050950a4b70f5ddd58b49511bc43bfdeb0267137efec4e9f0ad51a7fb5450dd5edd752f3fa9b9f46159d427a041dc24d31c03e52e435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
37c415decc4e3e92a9f77bead7a57553

SHA1
2d1378f97754a9b6b8fd797ceb462a8dd4c9de31

SHA256
d9ef1465abd94092f80afd309d4af3afd3fad1f48df30495ebd8991e08ecde58

SHA512
ef2be34aaeb5c6db2dc459c39694b558fbe8018c5035b7d3e7eb67757586debb3f1ea5b36d1e286d34cef4e77cb778c812402ef2df8aa103f6b548a67c31b6c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d6f0b3b7f0ce672508eeca5707c79c10

SHA1
c805abda2bc7584db2bb05ac781b397c980fae4d

SHA256
b326d121f15ca63e0cfa42f31e1ad4050cb5c293519768b1153e973449ae6ba6

SHA512
e39d1469cf7e6c53e64e366da25f6a55540e8a459d6b4aea75ae25df3f3e479dcfb624fb51995ba0105ecc4f92da5b50b2d58a42c87d46edc2adcd12a2b8a4c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b2c6db9aec4774ddb4331c98b66ddcd3

SHA1
63a10ee851b08fd176ae925ec56e27126e06d3e3

SHA256
fcbb504affd20f8a6bc194eceff2bc7b78d378bcaec12d6c225e4fea9c91defc

SHA512
7beafad3109c92a6ce1e388579b2b3b57ee82aacd633cc8c70260edcc3b20fb0133f41e2912eccace2987b16aee53e69b7ee293d56e6297fa24315dce6f16dca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f5feb47a-db63-44ca-81ea-48985e9b9be1.tmp

Filesize
6KB

MD5
5f0b3aa5f5adc86c2f572dc60ca962e0

SHA1
65570a89e10d8aa145e09134fdba905c59443e56

SHA256
2d937f800a8d07d5088f53151d264a93ff7b897e00b776d9ea41f44bd06c763f

SHA512
5da0321b45d6defe81ed2e34c3a875f4fb2d1dcca31835ef754597e4047e06ecb658c96bb7fc9082544d5a77d8710eb3134807728838efd429d2ee6d29d398ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
38be81c002c9ad5dd428ea3c01478da7

SHA1
813d2de347a099697fcb2afeea72e8a3c7e22fdd

SHA256
eb08fb47032ab701c7bcbb9ab5a957d9e0f1e5dc53eab80f40e2d32adc0b605e

SHA512
e101ca9d5225cfa9f860ac41514bc4b5151c01f9901bc8bdc68fcdf3f16123936f4323097c0d3f50ce54e0c23585e89732a3f0c8ddd7ac9c791a023ca60c3460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit