hxxp://hscheats[.]pages[.]dev

Analysis

max time kernel
1200s
max time network
1089s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10/04/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://hscheats.pages.dev

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572501084969523"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 1468	3132	chrome.exe	72
PID 3132 wrote to memory of 1468	3132	chrome.exe	72
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 1836	3132	chrome.exe	74
PID 3132 wrote to memory of 4840	3132	chrome.exe	75
PID 3132 wrote to memory of 4840	3132	chrome.exe	75
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76
PID 3132 wrote to memory of 208	3132	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://hscheats.pages.dev
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff915209758,0x7ff915209768,0x7ff915209778
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:2
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2636 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2648 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4696 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2856 --field-trial-handle=1788,i,11330580723789807020,17360069741606906935,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8983df4b-712d-44e3-85ca-6744949fb401.tmp

Filesize
6KB

MD5
5980cd0b9512dff226f6b03d45cce348

SHA1
4e4ee9a408a2029226cdcd8b6d561caaf00b6eb4

SHA256
729606cf500577c871cf47628e45457a0ed6d9be9cfee8b67cab275f21ee9b26

SHA512
83c528257bf088e6fd69a440a7dc0195f1d30b61b6387e9b4a7692875f3da7852c71d736d687d9d5d6011a96465a6258209270299f74f38457ad9e39e7425c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
03eb7a4ca0797ca78538a6c8a9b07de0

SHA1
903bfa201a38272695cd28d3a752ec116e48b0c9

SHA256
04cf9fa630e72638a34ba782d4ce69e198ab5e4c9a5613e5534df8d4817b0066

SHA512
a8fc6f93cd5cd9a7b5aa7383fa1299be57221ed3ec3c224535feea06da0fddd4d1be1a4a0c671cf8183fc4a7a5005ebd9c767dc522f620dadffa6128a52363a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c1bea5c54ec5b30675630b3b5fe93649

SHA1
18c7ab674a3f72f4edf0b0be5f66cfebe7d5587a

SHA256
f9e96b81f71fe77d3cd95ed26b5b762ea3d12c8dd28c5a9a044b0ebad99c9d8d

SHA512
f819d4b8529075182880199d2503e9ecd1ee2def0212d2fad7a0c9a48d6e170e2b0833fe1146960b4fc0911e9cc91e367fffc851f79ef93dc9ca705184fb23f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e9fe811d6249d6407741b7d93c7e2ee3

SHA1
d51275dbe0de0112253d94582c9ddcfd0c14a0a6

SHA256
5498756dfd7a747df6079d8d1a49b3188df80599f041fc7f9e4d4645c8dd8f7e

SHA512
497318d7e1867696c428e27bbae728af28ff6cbdd563fc8107f2438916d7db81110d312c10b267b8275d0d36b072c526f71aee2e21ef6472538f11bcc6c87e84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
f577e1bbd183e7e88e9c057e3d4238f8

SHA1
cdb8f53d9f78c78f272308ba869ba860eebe8331

SHA256
328fb58a85c588e7728c6867627b718d3bc146158d52536ba46af4d8105c71de

SHA512
c3949a456bee113e56a39e9e06bd39e7ef077f07a78d4c79d41afcc4104823364ddfed4d85cd725d399338b4ff59142fa99d8e4b89bd07aed5b92e4b1ba5f435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
263b1a5a3d6e28f007625110cdba7cc5

SHA1
6006d57bbe54276b0c9c5a9d24b6b865cc75308f

SHA256
549ebb2844fd8af333a3d3cf109ce693e9524950bfa46e3f2c9801073eef5497

SHA512
103bfbbcee3c3d3a56945c4b64cd2338a676715eead62c96b6ea397ec14b053bc729b0329c6d6cf034e307f8ab6b76b95a89617b7cc44e34f453fc17f1fa5d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0b08d759d2689b8534fb85a31eaec70f

SHA1
04cf98a4970b51ddd06f1c63011c37996495af32

SHA256
d98f17786d42cb2cfe26b125e19a9523b5dc9a77e84be57472c803e7840c5b28

SHA512
c147e9e35fd4ef966f54c8c19df619f60dff22db9495840748f2f81dbf1c4661f5ef12558b06e2a03dd1a8abc2ceea104f83ef6c6e63e510ed8127dadbfd74f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
c9788d85de6efdc44721c8db5380b5d6

SHA1
4ae22e8db6ce32b3f262247a3a90caec111915b8

SHA256
9935cfa20cb9f2f321183f38d14741cfd0a3bdca4204cf1ce38680585d9f62e0

SHA512
1fce31ab7508162be699b1f411759f20912ada455f6a49f25f65d5ddd293e0cdb9ef56a85fb73dbc1885f17d2a5b2ad00fa429cff0971d393f758a6749ae63e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit