hxxps://forms[.]gle/oZ3aDJNfPDUm6nNd9

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://forms.gle/oZ3aDJNfPDUm6nNd9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133425312562856274"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1572	chrome.exe
1572	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2220	1572	chrome.exe	73
PID 1572 wrote to memory of 2220	1572	chrome.exe	73
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 3216	1572	chrome.exe	88
PID 1572 wrote to memory of 180	1572	chrome.exe	89
PID 1572 wrote to memory of 180	1572	chrome.exe	89
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90
PID 1572 wrote to memory of 5008	1572	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://forms.gle/oZ3aDJNfPDUm6nNd9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff978c59758,0x7ff978c59768,0x7ff978c59778
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:2
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:8
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2364 --field-trial-handle=1848,i,8326292214746116629,14299094305660586808,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b410f54df983828c1797b11ed201d721

SHA1
9316d3d302dcc58cbf8ad034fc26b901d53a67d9

SHA256
9a2c395f03dabf30fb5aecce8978c142e6b2b4d647e147fa6fe97b039e7b5b03

SHA512
ce0a299b8b3b3ca608bbb8b119e8f3459351114aeb9637f76625f1bd1efbf6f10d9bfc6c9e405867906197f0316b07c4ae668dcdb717a624c25a22dee548ef46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
59975d789ca6de98f765a6aea0ebf785

SHA1
3b6a8204142419147506f003c5789d4e0dbf4fc8

SHA256
5b9bd282c2f3eb172e1a902f0f8924ab26457d145f616ce69a9cf01b9f9654a6

SHA512
45ab7fa823006e4109f8e5b3fa9b14d5062349f0c9dce94c7038675a86f454febb5598118a51428bc09977a80eac57006b262ba971b51fd7b88ab88ec28b1594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a4de1f68e2df3d05af65fc4850b55015

SHA1
14454870262e3fdfd6d74e5d814bebbbd7d07b84

SHA256
8de88d482f9b86809551ed8330138e078ed03a16a2d320aef2f5058abd79685b

SHA512
2281717caed6351a5102d1709fcfbe37669ee6b1d0d4db975591b05e1fd79cc7fe11a75477b2ce6d4aeaeea1ed38deeb4686d88bc01b14262c24b9c8c83c3554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
0e4f333373713e32a3f9440e029e74ae

SHA1
7967637b252cac309db98ed47849e0423bd49bb5

SHA256
b9b402cf7afe3d180b45d90db9b0878c13236a305be2fe9687ef8e5a3d5352ca

SHA512
5c72649d86d2113f6335e14f0bcad7812f2ab4f62d97bf0266aa99de63c3f34f14a9b5d6da698385f142ec1529540e338fd6f9108ec113b04b817a2d6f8b6960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
231196127ea44928a05c12fb6525c7a3

SHA1
3d483ed6d811723e6995740b783c27eefb04fab0

SHA256
ca3d64c0c2352f5c5abad5bd8c8a3a8f03b277cc7f5fc13884c3a97634a08b34

SHA512
b6ffb79fb95e5f25e379028eb18393b0230f587a28aa6a1d6b1aa382e62e77d958db42c59d585786dd06ec840ff9335860a530b756f3d38c1a34057666a7c244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
72763aee87fc171b87c0e1ef1c239639

SHA1
d02a535fef3d019ce1f88f5dd536a8a886a49f52

SHA256
45ee730df717dcf5dd6b555e9241ae7d9929a6e6e1c513b33b36087aa562ea1c

SHA512
cd7c59f5b8571076c9b6f921d658a50aad8f8f7f1f6d3abc70b358d6ee217a7b3487515cbe1ba057a72937976725d989695b679d63de1033a9bcf18949aac809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
9cdccae55b26ea3aaf1ae3429419f1b9

SHA1
7ac74503c8f550f4b475b4dc728a98cbee680b5f

SHA256
aaecc0bd7e72fc816c1094c8be3e2cd1bda078b0abbf01b48630f381a2f3c1a8

SHA512
de6419d793b2666e9a361d0747766ea74d5425aa77c6655c0f3a46341bad7ad0574bd1c2233fd7d9fad40d1a052b2c122405ec7a41b2025464e7105ef1792fb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit