hxxps://f-link[.]me/FSYSi

General

Target

https://f-link.me/FSYSi

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572977679026096"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1516 chrome.exe
1516 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1516 chrome.exe
1516 chrome.exe
1516 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exe

pid	process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1516 wrote to memory of 2308	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 2308	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4692	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 1660	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 1660	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4932	1516	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://f-link.me/FSYSi
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabfb89758,0x7ffabfb89768,0x7ffabfb89778
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:2
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:8
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:1
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4828 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:1
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:8
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1876,i,13975849346429707636,18354804237502021661,131072 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
70dd508cec94749eafd5edb8ce0c232e

SHA1
5c4f95830f32f6c944ec1c4e087d210e6efe702a

SHA256
f830246c0ff6ce307ce1c0dfdd00ac68860e75b983d6d05f14e61d167f2454f3

SHA512
d0313d84ee0ef6d22978f1da62ecd9b2ca073e2d1b36e20941e559e1b7e399d91d9f20e7a8eb6f30ddf5e2d1cc1f53c803c6ad58fef1d444f6d61292e8a446bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
926ed1e0a6ec7afe1f466f8ed92fbc95

SHA1
48b348c26db2c4df69ed43eafef9d7f17acf8dce

SHA256
a0d1c1e4371cc3916c3c90958872fc8f86f5da1838c35ee0c88e5e26be4e40cf

SHA512
a0a0cab1e120e7f1d812a47103a294c23b533294ba131162631181a8bbcbe198c8c6d5be50846b9341dbecd1c3bb4dec68ebcab0123bbbd1d6c7952db8c9f485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
03da676ba4949b352851b1c1c62322a0

SHA1
a18ebb8b685b2fd09073c3e7500a5f67d89c6fc1

SHA256
4fdb82c48818503917902900c4a80564f1b865552b9e67cfde958d171b4581e8

SHA512
01a4c14bfd60486bfb613ed5390c64b7ef80f73ea872d44fe715b18315e043feebe16f8c7748dbf383251fe8d37c445bee0241da08ea2d6fc7bbc5d029facfa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
01f9787e162cc2e60c44ea66d44dbf47

SHA1
2d0c406fbb90340f523dddef76ce31e66c8e6cf7

SHA256
9a9368c1ce46b4634ff948e505dbe8b4c47cc8fafb22e894156c20caaa7769a6

SHA512
df1164a91cc3840a66ab13e99fa7aca7cbe37e4bdb4f62cd0fcfe899ce86e975f393f6eb95bf55345be7b946ffbcab6c08c68a5f856c49505b9bebc81442b370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads