hxxps://proton66925[.]lt[.]emlnk[.]com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZjbG91ZGZsYXJlLWlwZnMuY29tJTJGaXBmcyUyRmJhZnliZWlmZTdybWczdTVubjd1anNwNDczcXpoZWZybnBrbTZqZDNjd3JlbXVra2FhcnN6M2FoNGVtJTJGcmVkbS5odG0=&sig=6ZSZc6StcYZmVG8FC5aeDDQTmP9zoRtyhA59wmNX6bvG&iat=1715682248&a=%7C%7C28568550%7C%7C&account=proton66925%2Eactivehosted%2Ecom&email=eiKUYajHSA1U5u0QULKZcGvv8EgBnmKCPHpZMaGp7F8P57HTxyiA%3AeNHAM94BoVf%2F6U3yFZQFGcuUz3TymuBZ&s=801122f2c89732 136cebf4049753605e&i=1A3A0A4#m[.]xhaja@balfin[.]al

General

Target

https://proton66925.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZjbG91ZGZsYXJlLWlwZnMuY29tJTJGaXBmcyUyRmJhZnliZWlmZTdybWczdTVubjd1anNwNDczcXpoZWZybnBrbTZqZDNjd3JlbXVra2FhcnN6M2FoNGVtJTJGcmVkbS5odG0=&sig=6ZSZc6StcYZmVG8FC5aeDDQTmP9zoRtyhA59wmNX6bvG&iat=1715682248&a=%7C%7C28568550%7C%7C&account=proton66925%2Eactivehosted%2Ecom&email=eiKUYajHSA1U5u0QULKZcGvv8EgBnmKCPHpZMaGp7F8P57HTxyiA%3AeNHAM94BoVf%2F6U3yFZQFGcuUz3TymuBZ&s=801122f2c89732 136cebf4049753605e&i=1A3A0A4#[email protected]

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

11 cloudflare-ipfs.com
12 cloudflare-ipfs.com

flow	ioc
11	cloudflare-ipfs.com
12	cloudflare-ipfs.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133601576336043420"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4700 chrome.exe
4700 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4700 chrome.exe
4700 chrome.exe
4700 chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4700 wrote to memory of 4664	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 4664	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3944	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 2232	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 2232	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe
PID 4700 wrote to memory of 3892	4700	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://proton66925.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZjbG91ZGZsYXJlLWlwZnMuY29tJTJGaXBmcyUyRmJhZnliZWlmZTdybWczdTVubjd1anNwNDczcXpoZWZybnBrbTZqZDNjd3JlbXVra2FhcnN6M2FoNGVtJTJGcmVkbS5odG0=&sig=6ZSZc6StcYZmVG8FC5aeDDQTmP9zoRtyhA59wmNX6bvG&iat=1715682248&a=%7C%7C28568550%7C%7C&account=proton66925%2Eactivehosted%2Ecom&email=eiKUYajHSA1U5u0QULKZcGvv8EgBnmKCPHpZMaGp7F8P57HTxyiA%3AeNHAM94BoVf%2F6U3yFZQFGcuUz3TymuBZ&s=801122f2c89732 136cebf4049753605e&i=1A3A0A4#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda88dab58,0x7ffda88dab68,0x7ffda88dab78
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:2
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:8
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:8
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:1
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:1
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:1
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:8
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 --field-trial-handle=1924,i,17119554381431871203,11168559205347183667,131072 /prefetch:8
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
6d679127e324d5821a5e080ce346b9dd

SHA1
2f7fae5d893060143940faed8a24c81ad08c4f88

SHA256
f602f2ec437f13c1748ead5c34073bcd2bfb0ca41e8e0fd18f212681d8d17368

SHA512
01abd617f0cc01fa36750bc890d172fb7340b1414d6955366cb099dde5857b2430ae4e4dc6125683d2ff5f428a4b3bbddbc84d0e5cf678d7270ab4c048175e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
6bb1cccc37067941f24609356274ac16

SHA1
dea9ebfba7654ec246ef1fc824e86b27d2e77294

SHA256
e8a07dca6d82a27920bd38ce59dba6d371799c01aa343d03f509b010e5fbe1bd

SHA512
f358a003fa7771dd2988115c59857e1f0919098b0e102a68587bca3272e94d8e691f5229742991a1f2684b53ad49555b77c82a6fb4b4f1d723067d52e92813fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fbefd930798b836236c63028bd5be0e9

SHA1
41e15c02b3ccdb1f24586a42ec7c60b72b330ec0

SHA256
8132d0248cec8ff4107092dcaca8465598493be24f8e700ad342a98a8d4aa45b

SHA512
2151e38e61ace9e015a806d1f08e631e9176bc5af083046a65888aaf4e78addfe1bbb49d60af6f12238f4350b4e41b2f30f50729e4555e6372d9d13ebc8e6260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
9237cdbfd785c0b59df04e0977189d13

SHA1
f06bd256dca3a3162dd77f10592d99f62ac90d77

SHA256
2027aed648cfe53ef003d26360dbb05461742e9357c2f658968f7e46a9ecd107

SHA512
9c17b5880e9ee701e4801c4d2938fec80b1f8c588d4ec43a1a23a08e37fd62f023eedfa2591150d65fe26aaf2907e7aa40df5e6702e7d4c414d751dd56443051

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
132KB

MD5
2f670056765b27e0ed1a0ac41870d4a6

SHA1
c1b26c55c24fb1ce51592e064f11e7dc16d1ef22

SHA256
0d4cc812d17939c021f3f08f92d4933517ce3f30a639d5ca44d1a9104b016599

SHA512
f1048f3dc0f67b9091a53d27df744267a9de16b446b6a23a19472f506634f52fe22153bb2b68e9c881fe56091b62aaf3d48d65a6dd46db60c0f6e1fe43035372

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads