Analysis Overview
Threat Level: Likely benign
The file http://mediasolutions.formstack.com/forms/compliancedept was found to be: Likely benign.
Malicious Activity Summary
Detected potential entity reuse from brand microsoft.
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-06 14:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 14:44
Reported
2024-06-06 14:49
Platform
win10v2004-20240426-en
Max time kernel
300s
Max time network
300s
Command Line
Signatures
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133621586803487503" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mediasolutions.formstack.com/forms/compliancedept
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90ebbab58,0x7ff90ebbab68,0x7ff90ebbab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2892 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4084 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4632 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4908 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4216 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x240 0x4e4
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1892,i,11866133297481558093,4092045752801562144,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mediasolutions.formstack.com | udp |
| US | 3.161.82.45:80 | mediasolutions.formstack.com | tcp |
| US | 3.161.82.45:80 | mediasolutions.formstack.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 3.161.82.45:443 | mediasolutions.formstack.com | tcp |
| US | 8.8.8.8:53 | static.formstack.com | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.82.161.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 151.101.0.176:443 | js.stripe.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.178.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 176.0.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | m.stripe.network | udp |
| US | 18.173.205.118:443 | m.stripe.network | tcp |
| US | 8.8.8.8:53 | www.formstack.com | udp |
| US | 8.8.8.8:53 | m.stripe.com | udp |
| US | 34.210.222.73:443 | m.stripe.com | tcp |
| US | 8.8.8.8:53 | 118.205.173.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.222.210.34.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | proceed.hrnoticecenter.com | udp |
| US | 142.11.196.65:443 | proceed.hrnoticecenter.com | tcp |
| US | 8.8.8.8:53 | 65.196.11.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dcb15dde-d3032ec9.hrnoticecenter.com | udp |
| US | 142.11.196.65:443 | dcb15dde-d3032ec9.hrnoticecenter.com | tcp |
| US | 142.11.196.65:443 | dcb15dde-d3032ec9.hrnoticecenter.com | tcp |
| US | 142.11.196.65:443 | dcb15dde-d3032ec9.hrnoticecenter.com | tcp |
| US | 8.8.8.8:53 | 08757c16-d3032ec9.hrnoticecenter.com | udp |
| US | 8.8.8.8:53 | 7a8bee9e-d3032ec9.hrnoticecenter.com | udp |
| US | 142.11.196.65:443 | 7a8bee9e-d3032ec9.hrnoticecenter.com | tcp |
| US | 8.8.8.8:53 | l1ve.hrnoticecenter.com | udp |
| US | 142.11.196.65:443 | l1ve.hrnoticecenter.com | tcp |
| US | 8.8.8.8:53 | d5661d4c-d3032ec9.hrnoticecenter.com | udp |
| US | 8.8.8.8:53 | a74d3970-d3032ec9.hrnoticecenter.com | udp |
| US | 8.8.8.8:53 | wwwms.hrnoticecenter.com | udp |
| GB | 142.250.178.10:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 142.11.196.65:443 | wwwms.hrnoticecenter.com | tcp |
Files
\??\pipe\crashpad_2132_YFGNXYYBNYWPRONM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 889dd6d4783818a0054db51be826e8a1 |
| SHA1 | b2983ebb3fe26adab674cda3297391e67641dbbe |
| SHA256 | be2fb691f06f480d060f6d7406d04f82c13299e8603b7543413082137c2e4d2a |
| SHA512 | 73714e7d4a84b2b1e158163f90d335d785d7448d9dd66ded224e1b25207e68332dd63da706cee4f125871c09b3a7d792fe68e0accc306a77ef29df8daaba77fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 29766648698c6be06f9930591c813a52 |
| SHA1 | dc5b5af7b7d63b38af9cad85826a2809a65709b2 |
| SHA256 | 26e86ac397bfc081d89a8c97b414c0204d683ffd5a59e08a4660886188bf349a |
| SHA512 | a356da69e47de4ca445862bd9933a1ee45b3abdc943c5c0fdeaca1bd488d16f88f5bad0ccea93054661b7ca4107caf51730c49bca9797eece98c516f33090568 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 492258a30151b24d051e0225ecf7ac7f |
| SHA1 | ff38cc9716cde6f1fb71a17a2abd7c18811e33ce |
| SHA256 | 9c8f48d18fc150edcde19d294b9904f4dab315df779aa79e998b74186dc54ca5 |
| SHA512 | 9d3cef999a2662b62084aefbab337d71212f4181b51e160a8a43c407539782f69e78f9489b1284bbf861f2431d2ada6b9665b596e53689c5c4b7ac8ad7926ce1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f3727661ace524ee69a0d97955a33514 |
| SHA1 | 2bc2f94fc7aa4fa94d92cd07df6dee4aa2db72ae |
| SHA256 | 69a42ff737a39fc087e8556d5e9e3302f3d11b679899e63c118d22e936786899 |
| SHA512 | 20fea3df163c174e18db2c33656bd7310037cadb9115769f0ec2037c4db5ce0598c8349110f379a59334bce86a5a982cf4cd5f2325a838535299def5ab8f6e7d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | c3043c0f83a6a58a9e82b8ae38d7a33f |
| SHA1 | d1cad2174e40c3e5391b982883afb9ad2040818d |
| SHA256 | 15e71a5e0c8e57f076a872cfab13f19dc51b2a56457bc7194ee33049a1727219 |
| SHA512 | 12b5a245b6f787a02593916615cf158b50ca6641a6e8501dd64b8bff6819f7ccc0cf0e15a57125ddc82dbdbf5c2b4f95eb41959d01f763cc3ce7a237c7ccca30 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dc46.TMP
| MD5 | 1ebbae8a7ebffab1d0a22760e820221d |
| SHA1 | 598f18a98d4e1405aacaca6f542af7976865c9f0 |
| SHA256 | 9fe9560e72a58d8a788cdda283a7a74175934b07beeedb4c34ff616bf5abfa0d |
| SHA512 | f25adf3eaa4832148a59bb51605a07397bfdf3b3b7c7249b97d2da22be09ba9f16fe1935d9db1346eec1622b4f0f3b4511fd52c3dbf2965f071c73f1a2b1aa61 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d9a80ffdbc8cc4c7ab033a084dfa6c9c |
| SHA1 | d3a6e6f8c60d4bd25021adca060d0d4d722b9e72 |
| SHA256 | 1ab542f51d97df492cbe50db047f4d68e45d1bccfcfed846c934aa1408fd1723 |
| SHA512 | c5dc5ce3a336b7ca62b9ac78a85432d49c25148622e8f23752f0e9382597c9566845445e78f3ea90d2144f5b2143ab7947a200fdbe626652dc9656f30cdb3c6c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 980b68169c6866c0b2a3ec926abac3a3 |
| SHA1 | 599a99cc2512f04b40d6b949fc084835be8d646f |
| SHA256 | 9215a2497eb066281c491db9825a601ce45fba0b82697f529393e80a330f04e5 |
| SHA512 | 70794c059f3a672e789faa7194e184cbd8b3858a01b856e5c46f6ace2946cdcae28db049eb6ee7499dea821874ed18b8767c26876a3f25c9e51ba08f2823f47a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3fbe74afce34894906184983ada17193 |
| SHA1 | bc7c916c229ffbe57c9f3399066a4279c07b518a |
| SHA256 | 44dd387bcbf2463cbec7424d94408dda532d1c8a499a9ee698d296432fb87b68 |
| SHA512 | 4881d94d773070667e79365b745de8c1d8d84ed84c529ffca0f268ac5ed28c3a818f3d791f81668c8522692e5b3e569f40de277aa28535af9be6bf4f5e8bbc2c |