hxxps://protegermipc[.]net/2021/07/07/probar-antivirus-de-forma-segura/

Analysis

max time kernel
1800s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protegermipc.net/2021/07/07/probar-antivirus-de-forma-segura/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133550246175674354"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
5328	chrome.exe
5328	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe
Token: SeShutdownPrivilege	2592	chrome.exe
Token: SeCreatePagefilePrivilege	2592	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2172	2592	chrome.exe	89
PID 2592 wrote to memory of 2172	2592	chrome.exe	89
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3556	2592	chrome.exe	91
PID 2592 wrote to memory of 3520	2592	chrome.exe	92
PID 2592 wrote to memory of 3520	2592	chrome.exe	92
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93
PID 2592 wrote to memory of 3304	2592	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://protegermipc.net/2021/07/07/probar-antivirus-de-forma-segura/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6f5d9758,0x7ffa6f5d9768,0x7ffa6f5d9778
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:2
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5108 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5112 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1828,i,11825989011744417749,1366940909184284901,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5328

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
eafa39a42b9e3529d6ca61dbf6ac15fd

SHA1
fc8d8933bc6fbbb8f57d523f1b7befefe2b9f307

SHA256
7b2180198cdc3b517e48883cb70b1dd14983da459d09d260c78a902974c0e1e1

SHA512
ef3dcede5ea77e84e49f214be36234ac4c06edf29b3e7683df4aeff716ea0fbc2fa9ecaed56b603831719234de4fbd7a9e9b195545f72b880792fbff630295b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b2237509176c65bea3320b8ac3491cbb

SHA1
b0bbb20c37f4b1415f73caaaafd495bf2b41bfb2

SHA256
4d1506243f802e9f1f4ab963b0cabbb02ad0a94a62d8a5c90fcfa37702c10f12

SHA512
95f0a44c4425e422108b2933168198b5a3a33f92bef24faf6fa885b33e04b78a0566d71bca4554fab00f453c79e4b2ced5d28f90b3269f45a3a11450efc30992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
25221e7ee1940b69ee3cebe6008ca860

SHA1
b5e29e6e767f36b37afc241a46efff6ad3d59aec

SHA256
1e5e0a9f91ba66c78cc687cbb376cf867286c05d125ca1afe1448570b139df04

SHA512
99a59780301cb5c60106b51a158f89d69a9574842e18744d613e85cf6b117766b46d6b3187053404c3260488fa9f4c35496fe54d1cb1527dc61b3352ceb1419f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
20224798f885a7af97bcd5ca81eecaf8

SHA1
a936d5a7942b41f693e49339d324c246181b23c7

SHA256
2e300e3184b8f8ddfe7da6ff123a05a362dc309c227307d31095298de13e1844

SHA512
9647797dbcb8d23b06ab43421fdb47a3a03a1d7db97d2ca6e116c84ba22160550172022be53ec03bb4bebd0eaf0dcb2517be3b9e73e9f6d92a89479dbe1e85b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
8690b0fd62a66aada1cd0aa58ed7f0ad

SHA1
40e9a0aeb68467ba3456a83c23c982d7603ba2a9

SHA256
ed2f9ecf42885b5e48248fa3837e2a877d10da8698f8aad7c4015b92a23cefc5

SHA512
712430145850409172aa32366f2c8870f61b917943c4028d01987a6c3e0ff10d323c64d7cee55c586325ef7379f023f2c42456c982131d00451b132ad215f9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit