hxxps://confirmations-west[.]pwc[.]com/confirmer/email/unsubscribe-resubscribe?confirmeruniqueid=ab59a089-0e08-4e82-bec2-916495f49569

Analysis

max time kernel
33s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://confirmations-west.pwc.com/confirmer/email/unsubscribe-resubscribe?confirmeruniqueid=ab59a089-0e08-4e82-bec2-916495f49569

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133603638215406626"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4744	chrome.exe
4744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4744	chrome.exe
4744	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe
Token: SeShutdownPrivilege	4744	chrome.exe
Token: SeCreatePagefilePrivilege	4744	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe
4744	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 5016	4744	chrome.exe	82
PID 4744 wrote to memory of 5016	4744	chrome.exe	82
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 4844	4744	chrome.exe	83
PID 4744 wrote to memory of 2984	4744	chrome.exe	84
PID 4744 wrote to memory of 2984	4744	chrome.exe	84
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85
PID 4744 wrote to memory of 3988	4744	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://confirmations-west.pwc.com/confirmer/email/unsubscribe-resubscribe?confirmeruniqueid=ab59a089-0e08-4e82-bec2-916495f49569
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92b6dab58,0x7ff92b6dab68,0x7ff92b6dab78
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1908,i,12778286674635031899,15720572942190518204,131072 /prefetch:2
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1908,i,12778286674635031899,15720572942190518204,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1908,i,12778286674635031899,15720572942190518204,131072 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1908,i,12778286674635031899,15720572942190518204,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1908,i,12778286674635031899,15720572942190518204,131072 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1908,i,12778286674635031899,15720572942190518204,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1908,i,12778286674635031899,15720572942190518204,131072 /prefetch:8
  2⤵
  PID:1620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8cbe92d8-9f28-4c70-b335-bd46d86bdf28.tmp

Filesize
132KB

MD5
0f2363cdaeca86c92ce90dc5c45057a2

SHA1
ab15261cce196550a28d091bb2332aa376091072

SHA256
9b28d0d929872439efef7fd42e14cfd7f20db0d034da0847b3e2fe3e851375b1

SHA512
3c5333670d04b7b4e3adcf74f4273313d4e0e0d812d12df72ba634eb5d2deaf6018c7f2f0cb3af3c19473ad9949d056217e97776a6fcdb2f49a3567810221232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
741089cc9b1c5ab6168a7a537b074631

SHA1
e5bb86eb6e988ea923266d83d0395a529373a395

SHA256
954e8cb894fbb118d5c4e7cb68d1b8689b0985347b603bcadf981ddadfc22610

SHA512
f9f857545f3b59305f1e782a72bc0ab69f664cf3c30d308e32bc9609fa56c121ee7fdcf5c9e9b549a787978b6f36444d9583c280f2503d7576fe81737df7ffde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7400fc0142da62b606b391e0a26d3c75

SHA1
3a2af6f2f3f5dd686154bf1c7ef48a56d13b4a40

SHA256
14cd1fd8395014520c4b3c77d2357348f0ec2c39a0223fd05c16ae05b7d36d48

SHA512
6e749e61b4d4dbc7e989a3e7f127139ddbc1d7e7f21519b66ccc26bfbdbd673bc10c8181b46b9b33866626173ea3362d2b36c7563a48eaac1b53a4919ad6dc3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4cb215d40171abb1cf481873f5e67e43

SHA1
bd8239e6d1d6866b961bda5605ef6f2431fc72ff

SHA256
041ce87c28392cae5ce909b4aa6e04339c33ff2fd3cefb2581c58f03375403b0

SHA512
3d704138ffa1d7b8dfa0c2fbd9bf97324d7994a1506a71d8a6ba98d49c525fd8ff10eee16a2305e35569824863d6051e8b83e9f8a0f78102c60be15e65c4a11b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
bd9a1e7fb03d041c19a6b64a3bf4cb36

SHA1
9e9da78a4ce63f8e73156129086fcddad0a716ca

SHA256
37122a9f171d6553afa888210c8c4a7819da3775e75661cb9a4592e786385832

SHA512
fd058da317b7a4e84aa0faf456708a47f5406feb60dacc05c952b77b4553eeba7f0d53e1d1c19dc564a05f4c923e50710d22bdf3cc5e6106cfa154e48c8554b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
e8849fdb035eab03a991c63177a40d85

SHA1
02cdeb66872546751edf9b985ad7cf818fbd0883

SHA256
f92ee2dd28371854aaa96a3bbbec2f052560ca09f225930bc1527283c65430af

SHA512
7f182e743abbe6bf2041c98611cf1a45ab994b1949bf3ccf259ec3173a47fea80fb2fb001d5b683cd8b228ee4ab9ceac66998d1d3253a54ec2397ecad48796da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
721c1f98d0633ace3d4cb82cc65fbfc2

SHA1
39fac16e9bfc1773883c8e748b91789ee5ed73f1

SHA256
caab4f0bd636515fa87e54695b0ec76bb7391decc7c2ab83a4a8be54f24e94ef

SHA512
1264cec88799db6edd4e0f2f11ccd59e2efc2aa5c608b6f3d0daeb59cac789fa952cdaf3c6ac0a777137dcf13c7f77564351247728f30a91db185d6da19aacb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e78c88170cd74b73c84c2490f27058e0

SHA1
e456dd241db9ed803b05a66c53e9534aff61190c

SHA256
74081be07fedd38290a64040a398cd14285021dcc89fd81c0ab544335b38b91b

SHA512
59e866814aa59eb587a7c3507dae64d3384a1dc8ff02bf9d47d07c671ab1ed3a4772c66bb58919644e357f662913fbf3bb2fbb0870f312269b1596700503a48b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
28084cf6e71813b8975fa7643dd76c9d

SHA1
19c49bb0232e3353a8f5de2fefbf6e82aa373ab6

SHA256
2d01028077a6c761ca5aca325994f70598db29c760bbc87ef299c40cb4c80c64

SHA512
dfd621e1a60390e465cc2ea5f86a3ea2582f6188c0f751eef89d3d8db7b74312c74ce61fc61a477ef19f5a89cee646d3a549294726af9ebed43889304c44ba82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
07d8b7143beec7335918d720de4d2c8a

SHA1
ec211db1ccbad10c6daa53b52f6ccfe952518a5a

SHA256
6f1ded2720094129a4c28565ef22d8093865b27984c1499a2328491dc43d93f4

SHA512
4b487b9ae74d6baa297fbc8a55fde3bbce39a303ad1865fc1fce0444d848a8598bf59551845d5cfb7855024e6e1ed4a87f9c2ccdcc7271f831698c8b967d634d

Download Submit