Analysis Overview
Threat Level: Likely benign
The file https://p6f.org/B4GQ3Eam3T4RAI1Azz01klQ3EmP212APclz01loTxckm3ToTxnz01coTxm was found to be: Likely benign.
Malicious Activity Summary
Detected potential entity reuse from brand microsoft.
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 18:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 18:28
Reported
2024-06-18 18:31
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Detected potential entity reuse from brand microsoft.
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632089271754685" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://p6f.org/B4GQ3Eam3T4RAI1Azz01klQ3EmP212APclz01loTxckm3ToTxnz01coTxm
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97791ab58,0x7ff97791ab68,0x7ff97791ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4740 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4892 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1580 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3268 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4f4
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3064 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1064 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4016 --field-trial-handle=1952,i,7383070964003822985,4374884694646971764,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | p6f.org | udp |
| AU | 203.170.87.81:443 | p6f.org | tcp |
| AU | 203.170.87.81:443 | p6f.org | tcp |
| AU | 203.170.87.81:443 | p6f.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.87.170.203.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.p6f.org | udp |
| US | 8.8.8.8:53 | aadcdn.msftauth.net | udp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | privacy.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | landsurveyor.co.nz | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| AU | 114.142.162.17:443 | landsurveyor.co.nz | tcp |
| AU | 114.142.162.17:443 | landsurveyor.co.nz | tcp |
| AU | 114.142.162.17:443 | landsurveyor.co.nz | tcp |
| US | 8.8.8.8:53 | 17.162.142.114.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.esign.foundation | udp |
| DE | 159.100.18.246:443 | login.esign.foundation | tcp |
| US | 8.8.8.8:53 | 246.18.100.159.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4461c98c-91517664.esign.foundation | udp |
| DE | 159.100.18.246:443 | 4461c98c-91517664.esign.foundation | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| DE | 159.100.18.246:443 | 4461c98c-91517664.esign.foundation | tcp |
| DE | 159.100.18.246:443 | 4461c98c-91517664.esign.foundation | tcp |
| US | 8.8.8.8:53 | f5d77dd2-91517664.esign.foundation | udp |
| US | 8.8.8.8:53 | ab2a469f-91517664.esign.foundation | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | l1ve.esign.foundation | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 159.100.18.246:443 | l1ve.esign.foundation | tcp |
| US | 8.8.8.8:53 | 432338e1-91517664.esign.foundation | udp |
| US | 8.8.8.8:53 | 064a4b86-91517664.esign.foundation | udp |
| US | 8.8.8.8:53 | 09d57a7f-91517664.esign.foundation | udp |
| US | 8.8.8.8:53 | wwwms.esign.foundation | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | tcp |
Files
\??\pipe\crashpad_5008_NIMFRUQGKQWXJBYF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6b0ba03bdbabc995b8670651a12ccf4b |
| SHA1 | ad47fae735bf8a8e7e6388c0ebf689ea753c8472 |
| SHA256 | 3f9e1af925833cc1163a54591e92ee3aff2fb981630a70c9b1e1ae09b8d7f462 |
| SHA512 | 9d4fa50fb83cd77a5d0face9ab9dc47131de4a6a640ee2f36f482f74cb6ebd13677304006bd0d5f4e91cd8d37ffe54e40ec42543cbf18c2db0352eb35393dc9f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4b29cd202864786ebf6abbbb7d94a3f6 |
| SHA1 | a45b43fc066df8a95d411f0cf94ea9b4e7711abf |
| SHA256 | f246e7b71b7c7e102ed1633257c1134ee0a97a4d90c3af12f6d64d15257647fc |
| SHA512 | 27461fcd6189ab4b1a9a7ce5abbc139f7d911ad0aae1085122f18514943d8ceb972c6dfffc9ea52f2d1fb6687fee40d09093f9d6f67147a03ee94bd16d8e658d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a10c35191d9e567cf89bfb922e9eae6f |
| SHA1 | e105b5afb86d355febe309dda23fc88144164fe8 |
| SHA256 | eeb58d5fa507e2d37ea22dc15504a12ae705643527f2b4e40b2369b9dabae531 |
| SHA512 | 08231bdad32d00ead408d103bb72c430c7c4630f0b14c278bb398b4c3852f0c89b80718a32d32a3dd49a74a6418d0a2ff254805a502b63f5ed675ace48a00dea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 05f50fa9d181c53b8599ec7bbb6ee9a9 |
| SHA1 | 82fb271045802963613d2375acfe116033547103 |
| SHA256 | c20ff9cb629f782ee50d9dcbc9d11631850d387629c0a4555305adb8ba6896ba |
| SHA512 | 60c6997815fb5ea20599b2575d9715adaf01db1f1549b8e350907b90c119fe305d8d144bb7c0de9b3733b244b7aa34c1edaf7debf64f6007445da8cd0401e600 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bda0a43dd0610967c23357af8481af85 |
| SHA1 | da466e57c54d5dbfeff180032bf39febc33ac294 |
| SHA256 | 1cac7beb478232fe270b6019b347b77f77acda95dbe3d2af32eb49a0f5df2fa5 |
| SHA512 | 6796d495f7777c0b1d1cd1fd7c4bc79b1683411af754ef17cc8c6aa1fef87d2ffa8dd92d60c78b98cffa06dd38dc9245e159e7177d3376eceb1ef327217845be |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 0013f1abd06984af5af4104bb2b17fb7 |
| SHA1 | 859e51002fab718d8cdf905ea10515df4eab165a |
| SHA256 | 352ef42eef1ba1879c2503fe8357dd2d0bf4368e7b72abc52e04cec4c8e49cf4 |
| SHA512 | 78ed75fd9db878331b7e85b0211edc1a666a84a112f12bc26b54bda7bf1d58356ab5cea16239248d8beb7e3738f039d83e7c27840f710e36d2e0d4f82fba6445 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 9583bfd3231fe1b1baeca419d12d9f46 |
| SHA1 | 0e790f7625a0a04ade67897d542daac24a9faf6f |
| SHA256 | 1d289fa1847d5011fc0e82bd0c1da9c835af2733939e52d278977f5b7ea81504 |
| SHA512 | 5fcf4da10962174eb99b816ccbc5db9bdf44c05607153e6de3999c6041dc5c36a36631fbe339138cce8c5b69bed5467c72e58ecd8c4a8b233c5964c39e3268d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe595f6c.TMP
| MD5 | bbdc63ac5cf198dbc600dc56c95c01ae |
| SHA1 | f040b0db5ca51745200f95a8e40faa2dc402bcfb |
| SHA256 | 9fe05981084574cc9fbdc85f821f86248b8825e39ab569cda57699d79436e847 |
| SHA512 | 3635d85edfa79a69b97336ca51c0e1fd955a6583921622d3892ef577826cb9174639272837886d4664365bbe53cb7fc30d76c0b9ce3c2dcfcb5b4ce7fd152c8d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e5af7c94874aac5d5890ef54d350b3f0 |
| SHA1 | b1997d31a319fcf7a9145a0ef4e1e2d187c40ad3 |
| SHA256 | 99c3b026537306266dac67416e0eff3c86108f31dee1c3e911f9bf9e819fb3be |
| SHA512 | 0cdd325311158aed316f3d7f2a1c10363cce4ef429953149042d3f6950b6b047a8ee466c5f877def33620af93cf64b3769c7450cd6ac5fdde20301ceee9231f4 |