Analysis Overview
Threat Level: Likely benign
The file https://r20.rs6.net/tn.jsp?f=001KyiOQr5NG80Fzn57jM4Ke_HWp6AkxxFaq-QZHr0SB5kGY03_32hvdgVHe-sYdWzsHex71tyd33ZG72ha7b-aLedwopqEjRTpjOeD13CN380CoGPZ3Y2vpDaiht80Y1jEVCId2gvuzBCBUuA_teqHGA==&c=&ch=&__=/asdf/amVubmlmZXIuZmFnZW5zb25AaW9uZ3JvdXAuY29t was found to be: Likely benign.
Malicious Activity Summary
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-19 07:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-19 07:33
Reported
2023-10-19 07:35
Platform
win10v2004-20230915-en
Max time kernel
93s
Max time network
98s
Command Line
Signatures
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133421744458439635" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://r20.rs6.net/tn.jsp?f=001KyiOQr5NG80Fzn57jM4Ke_HWp6AkxxFaq-QZHr0SB5kGY03_32hvdgVHe-sYdWzsHex71tyd33ZG72ha7b-aLedwopqEjRTpjOeD13CN380CoGPZ3Y2vpDaiht80Y1jEVCId2gvuzBCBUuA_teqHGA==&c=&ch=&__=/asdf/amVubmlmZXIuZmFnZW5zb25AaW9uZ3JvdXAuY29t
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9e9b9758,0x7ffa9e9b9768,0x7ffa9e9b9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4688 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4944 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5112 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5272 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5820 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4664 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5876 --field-trial-handle=1872,i,9236442981111049879,9730652208314734418,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r20.rs6.net | udp |
| US | 208.75.122.11:443 | r20.rs6.net | tcp |
| US | 8.8.8.8:53 | 202.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.122.75.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tetheriumdao.com | udp |
| US | 162.241.120.242:443 | tetheriumdao.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | f1bfd716.1266b8dd0c622df28d9af103.workers.dev | udp |
| US | 172.67.170.232:443 | f1bfd716.1266b8dd0c622df28d9af103.workers.dev | tcp |
| US | 172.67.170.232:443 | f1bfd716.1266b8dd0c622df28d9af103.workers.dev | tcp |
| US | 8.8.8.8:53 | challenges.cloudflare.com | udp |
| US | 104.17.3.184:443 | challenges.cloudflare.com | tcp |
| US | 104.17.3.184:443 | challenges.cloudflare.com | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.120.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 172.67.170.232:443 | f1bfd716.1266b8dd0c622df28d9af103.workers.dev | udp |
| US | 8.8.8.8:53 | 184.3.17.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | officesexyp.com | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | 17.66.230.5.in-addr.arpa | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| DE | 5.230.66.17:443 | officesexyp.com | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | identity.nel.measure.office.net | udp |
| US | 2.18.121.81:443 | identity.nel.measure.office.net | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | 81.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 13.107.246.67:443 | aadcdn.msauth.net | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | aadcdn.msftauth.net | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | outlook.office365.com | udp |
| NL | 52.97.144.178:443 | outlook.office365.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | r4.res.office365.com | udp |
| FR | 2.16.11.75:443 | r4.res.office365.com | tcp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.144.97.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | privacy.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | autologon.microsoftazuread-sso.com | udp |
| IE | 20.190.159.2:443 | autologon.microsoftazuread-sso.com | tcp |
| US | 8.8.8.8:53 | 75.11.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | aadcdn.msauthimages.net | udp |
| US | 8.8.8.8:53 | passwordreset.microsoftonline.com | udp |
| US | 152.199.23.72:443 | aadcdn.msauthimages.net | tcp |
| US | 152.199.23.72:443 | aadcdn.msauthimages.net | tcp |
| US | 8.8.8.8:53 | 72.23.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 13.107.246.67:443 | aadcdn.msauth.net | tcp |
| US | 8.8.8.8:53 | outlook.office365.com | udp |
| NL | 40.99.204.194:443 | outlook.office365.com | udp |
| DE | 5.230.66.17:443 | officesexyp.com | tcp |
| US | 8.8.8.8:53 | 194.204.99.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | privacy.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | aadcdn.msauthimages.net | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0c4b0f6e6da89400762445ed1c603410 |
| SHA1 | 91a62eb89fa8893ca5479e6be9ae1d309973002d |
| SHA256 | 322202d0f7739d1c8b8e847c5bb93b45f22f4f42d1abd7a603bfacaa416de559 |
| SHA512 | 5eadb62602577af932864d6edbfe757f575ff289986a939c6c277794dd19006c23fa55a1953bdacc2e7fba517fcee9cd0586cf2411233746270ff416255fb549 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5aa82e538b102765ddf217a23e6091b8 |
| SHA1 | 5529d7fa0bd1d29b3ddb2c2e1fe01acd2e772ee5 |
| SHA256 | 6b6fee9d2107ae99c5103cb22eb08faee500afb94d70999ae0dc2c61162a093d |
| SHA512 | de1dc8b470427d6133741ef0bc10dfc547c7f30659f35eada9a3b8e46f292e00fa71ce70e97a8be05b157186b6ec598d31fc3c45c50e7d09e014c19e95432bee |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a0f52b98fccfedc65d5e83d6eef021f3 |
| SHA1 | c419870a6ca6f8a28075622077e3674e0d01fc1e |
| SHA256 | 46910ca1ac25cbd67b94a5c97b914b751494f3818f9e637a95478dd225962362 |
| SHA512 | 983b8cca8c806db131492860efa8698a567bdf6d3bfff7b233e191b22dd38daddd43c92088add9a3c864f995c1932eb9a897bf7cdf203fc01e5710c5c4a35eeb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | eedbe20e225f47fb51589afb27100bfc |
| SHA1 | 6a222d565062b22052165fe783f702cb416b6838 |
| SHA256 | 00e6a112af3b0e6d2918b2ec979d2745c81bec75454f95227b7a71dace661258 |
| SHA512 | d6565fc5668ff80729ccb0fecb32fadab831219755c4d5d965d65ec4e6c10e0fa9dbccb5655b936a7f0041713e30a8e320b93406a8b9e90adda55c33b8a0b27b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2c126110589145d8d5157fd543e2fe95 |
| SHA1 | 8512b1ccf19b78efd401ff8c291abac1ab1f658b |
| SHA256 | e590862706ed189cfaf87d3faa555aa3b399cfe41f1ab1768a31651f7fc3526a |
| SHA512 | 2a089f8a3ffa19c30e6370a6ce4a0ae511a7d66364d4b0b5c9bc8f10ae25b47e17def19d44a2bedd0542c364bf1ee21e8595b6f8e68dc534b7d5603e0e98d49a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 7933d2f767c5b6c86f61c549d7f51893 |
| SHA1 | 8a85e9818db97af9cc27cea134c38e1c416fe02d |
| SHA256 | a036c9afa3e2b1fbd4bb8996fd653f9ea09f343405d4e99f2085f48d00612455 |
| SHA512 | 9154679ed8f4edb5bf96c043fa91d6535cefa0cf0dd0d9ff1c9d14106013fe5727cdca4d0c35614ad3551aeec2ac1cb87f8b0dae0b524e3856394929c6c17e8f |