hxxp://www[.]aiim[.]org/pdfa/ns/extension/

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2023 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.aiim.org/pdfa/ns/extension/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3584	1772	chrome.exe	25
PID 1772 wrote to memory of 3584	1772	chrome.exe	25
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 1048	1772	chrome.exe	86
PID 1772 wrote to memory of 3124	1772	chrome.exe	84
PID 1772 wrote to memory of 3124	1772	chrome.exe	84
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85
PID 1772 wrote to memory of 2372	1772	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.aiim.org/pdfa/ns/extension/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbf3f9758,0x7ffdbf3f9768,0x7ffdbf3f9778
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:2
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3704 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3684 --field-trial-handle=1888,i,4908199293155893606,1228139061252268294,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
68ee94d86a72e550ed59927edab41ee5

SHA1
f61995c1c39dfd82ae6855f72c5d51f133029993

SHA256
9e7deaee79ee9cb88169b87f5705d56df0f1e008e4f42e45d4eb2c8025c1bfbf

SHA512
029368134bd406dba3fef6d4f0173c724ae0ad1d11abb9a09d0ea12af39b62f4dc9cece0bfd87d8a4d568b37080f6d814021862f6e64d746a1b7287ae3ffccee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
43b30db0aa753f5909f8041c3e822088

SHA1
58240e8114ebdd33b0880c6e5cad2f95ffced2d8

SHA256
269178ed7916052132d1927baf8fc849126aa80f4ea8055643267ce777abcbd1

SHA512
5e3d9cbb961c0ae6be8305e5dd784e852858e332da47c8df6152843be181ef8be7fb6c7107651f487975116a3fc32b9557947b58bde4b82d405c253e629101e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
29c186c982363eb6cfb92f527e03e1e9

SHA1
c19c24db78618590c88184f5a6d1580a565c2a5a

SHA256
ba29a0c346cbc2070653cb1891e532a71c42e3f685759c743f4434248394170b

SHA512
82eb92149f7bcb48604e7de57a2a452b8ea2939aa6fd5365c5184517f463e67fc34677cbfe6d775fce838f60b3d6f4879581a48f6f1cadb8148f247095bbf3cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9eff9956f2fc313edf85304895e26409

SHA1
d1823f73ef6763d5c721b838e1199bb5a4169b3d

SHA256
365e51a0ac03f49de511bf3340b067ce604ea32f24fd7e00da86267f29aa498a

SHA512
e59a34f889c226cf8e002e9fa64603ccd0303bbe6e828b4b9a9150e19cd276a30d5bd035353ff3954c2a5316e669846298bfe88470ad220ade1b17958bc6705a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f4bad7eb04d9badaef4567ee5908fe57

SHA1
bf7d57f0475e7876e27e693b11bbbcb5f53f76b9

SHA256
3b6158306f000bf25c1ef025afa1fe5cf8c07870bcc74c3535ebe2c517383d41

SHA512
6dd90939ebce25eca60c55ea4b2c6e8883dc84b6aef764a4d2842bca9e72f8e06e33e12cdc28ca285ec0be8dcd411b6ab8715ef9acc408cab71a1aa23ac1bf3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
e49dfd96888e309dcbb8b3eeb365fcce

SHA1
6041fbc45b5232f5fac1ef21d8888bd67ad1501a

SHA256
208ba26efbcdb494fc2cacbd518f5a760397573a92f06475a50028b6f188961a

SHA512
7660f0951a249faa55bfd886e0eb0646379020b753937d55bf587e2e7416321cbb042671ee8dcbcc6510fe6359efe8cfe99468efef6e1e2d12232aef4bc1cd8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit