hxxps://d11zJZ04[.]na1[.]hs-sales-sub[.]com/preferences/en/manage?data=W2nXS-N30h-RrW2TjS3h3H9TyKW2vPzbG3Vz5drW4m99sh4t5BTwW3Cf3P73NLth3W1VtLB321rKMXW3yNYVX21rkkmW4fFNfb4tpW7HW4fkgxd4prWGpW3BVwXl32bnndW1XhC0l4rB9mlW212YNb32y5nLW4cdVYR366JJhW34f1p72-rKsBW2KHLzF2RjcDJW2CBYsm2xwPVlW2RxG2P1NDVNMW3Z_1G-23qLybW2xZ-YC1ZnQ9fW3SzP1534CJSvW49vQb42MX5YkW3BV-H31QdTLgW4hq3M-2vNkj6W2xNYBj47Gp00W2nQbLy2Tt_BHW2-wvdn2MPpJ7W2MDdRF2YrslwW1NvMXl3z8jzFW1Z8N9Q2vLhMJW43qsPZ3C7kPLW231XsN1NnYJRW4mnm_d1Z00YSW2MN_vh2-zKHRW45VbDp2p3MGgW3c_RFc2sNxj8W4cPQFR4phy8rW2MBzXh3H7f_PW2y3mlK4tl3zbf2-p-4y04

Analysis

max time kernel
13s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://d11zJZ04.na1.hs-sales-sub.com/preferences/en/manage?data=W2nXS-N30h-RrW2TjS3h3H9TyKW2vPzbG3Vz5drW4m99sh4t5BTwW3Cf3P73NLth3W1VtLB321rKMXW3yNYVX21rkkmW4fFNfb4tpW7HW4fkgxd4prWGpW3BVwXl32bnndW1XhC0l4rB9mlW212YNb32y5nLW4cdVYR366JJhW34f1p72-rKsBW2KHLzF2RjcDJW2CBYsm2xwPVlW2RxG2P1NDVNMW3Z_1G-23qLybW2xZ-YC1ZnQ9fW3SzP1534CJSvW49vQb42MX5YkW3BV-H31QdTLgW4hq3M-2vNkj6W2xNYBj47Gp00W2nQbLy2Tt_BHW2-wvdn2MPpJ7W2MDdRF2YrslwW1NvMXl3z8jzFW1Z8N9Q2vLhMJW43qsPZ3C7kPLW231XsN1NnYJRW4mnm_d1Z00YSW2MN_vh2-zKHRW45VbDp2p3MGgW3c_RFc2sNxj8W4cPQFR4phy8rW2MBzXh3H7f_PW2y3mlK4tl3zbf2-p-4y04

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592597226128263"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2172	3864	chrome.exe	83
PID 3864 wrote to memory of 2172	3864	chrome.exe	83
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4772	3864	chrome.exe	84
PID 3864 wrote to memory of 4548	3864	chrome.exe	85
PID 3864 wrote to memory of 4548	3864	chrome.exe	85
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86
PID 3864 wrote to memory of 4476	3864	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://d11zJZ04.na1.hs-sales-sub.com/preferences/en/manage?data=W2nXS-N30h-RrW2TjS3h3H9TyKW2vPzbG3Vz5drW4m99sh4t5BTwW3Cf3P73NLth3W1VtLB321rKMXW3yNYVX21rkkmW4fFNfb4tpW7HW4fkgxd4prWGpW3BVwXl32bnndW1XhC0l4rB9mlW212YNb32y5nLW4cdVYR366JJhW34f1p72-rKsBW2KHLzF2RjcDJW2CBYsm2xwPVlW2RxG2P1NDVNMW3Z_1G-23qLybW2xZ-YC1ZnQ9fW3SzP1534CJSvW49vQb42MX5YkW3BV-H31QdTLgW4hq3M-2vNkj6W2xNYBj47Gp00W2nQbLy2Tt_BHW2-wvdn2MPpJ7W2MDdRF2YrslwW1NvMXl3z8jzFW1Z8N9Q2vLhMJW43qsPZ3C7kPLW231XsN1NnYJRW4mnm_d1Z00YSW2MN_vh2-zKHRW45VbDp2p3MGgW3c_RFc2sNxj8W4cPQFR4phy8rW2MBzXh3H7f_PW2y3mlK4tl3zbf2-p-4y04
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4c66cc40,0x7ffe4c66cc4c,0x7ffe4c66cc58
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,12946079457768294014,13622041645377317893,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,12946079457768294014,13622041645377317893,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,12946079457768294014,13622041645377317893,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,12946079457768294014,13622041645377317893,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12946079457768294014,13622041645377317893,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,12946079457768294014,13622041645377317893,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:3076

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eb5dac6e3974892924a48c8781b2433b

SHA1
9645c5c27f3a809db50592a71e55bd2d65377cbf

SHA256
ba2ffe814bb72b452a3f1a88a6df77e9d1c6a5c4d95b56a79af8f63ea8ffe418

SHA512
a622490778e73eb5cebb3632e80802ba0c14e58ef09197fdf0f30d143ff8bc4f6445e456c5f69b188fbf96d3f9c5327c5543592d170e5ca39d312656a6d314d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
78c4842d63565aa1a01ec555964383de

SHA1
a4b7aea53c42d9dca1e9cabc8838d96a768723a8

SHA256
ad5496c2072550b15871e479e47d2bdc87469ef24ae13b84044edf65b9ac0bac

SHA512
3102d8c0e524aadff333ec0d412979eb88558c553b4218f2e566b3a46b9cf8cd8043843b9d456c194009b8d49b40bdca7d44275991aaa2980ece0630a6132eec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\39ebf627-6c96-406f-8a0c-6637bb777733.tmp

Filesize
2KB

MD5
9598c6fd0145cf0668491946a4e95ae4

SHA1
353f14cc656dd96422f7eb27e96a556020edec2d

SHA256
23eac02635edb7bab7aae519502faf1f206a738112a35f76fe4280cdd866a7ee

SHA512
93984921e9c30d2c10f599a3a5cba3a43acbf955833005380f3ab77c12b3e3e0b5049b7f48fd14d88135b2906d9ff90aa3f343e655bb8b6fd550635362440fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1d869181ddf147c0e08724ca074589b8

SHA1
586961f4e18bef73e43422c8c531f9ea0d12b55f

SHA256
39d2e894556531abf3189857f5939a8b616ede8eff0604c021e270c62bd45cfc

SHA512
04d9171023d9db989997eb8814e3316ff96d491abefb0b6f19aae47e2e7a1deae73661361ce3e9298a9a4eca62e07ef78d12710946f8b44541d3d2af7322460c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
80a7f6af276db1b63d60013c56bb2ac4

SHA1
a3f7d91d99191256d86a0802365c1b06ce92749a

SHA256
ef6162bffbb02f21bb50c4203659e91f513ed3a98da7f31bb8df7de4554e6698

SHA512
c82f294118418e7764eed03ce236b25052a42a3b13b01b423daa76253ccad186481dcf585301be61dc4de76cda6abbe3ac43191be737857d849989d32465d21c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
986231850c3451e5ea039e63145c4651

SHA1
ae295198c145c43e5ae4f31876c60df6bbfbd101

SHA256
0dc447ed59e10a734b61c3237915fa51e92f7f714b14464a5fe4bc2965d85b3c

SHA512
fbc569a6a336d0e7f8e426f858c82a51a78a0b1c0803d1bab39e02a460c4f7fbe955e6532d58e403fdf4d2d2c02745a4b9b593b689658456f24afcea5a37f555

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
d8683380e2574dfe7c26eba661a9026e

SHA1
efab3db5d0b31f1c14122df290cc3e2bc55bcd0e

SHA256
79b9341a41bb8e71e19e9d24f97ea163f6eb302d4239583907616fd979db6943

SHA512
d667469a16b49885a1a60ce300d34877dc60a6622e2a9e4bdb32a322ca1506f8c63ba202e521ac0e4f1e506dde1002b2f6bd7d3bfe76bfa9e9d0d8c116abe4b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
a223766e03434adcc6f4638d4bb4f893

SHA1
0f00dc06694a48fe8c850155768bde8a0ee2caee

SHA256
c6562476e1184d023e525fc90bab666ed67e90833b45a122995e61e43a9dc076

SHA512
ffe006a04936cfed6bb9daaa6c8f76b20c8378f42683595bfc16c9306f677729463f7753039e29ac54ec61627b81925e9b8b5e95200258d3c3313a06ab19a1aa

Download Submit