hxxps://qptr[.]ru/4f1f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://qptr.ru/4f1f

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638256033274213"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1160	224	chrome.exe	83
PID 224 wrote to memory of 1160	224	chrome.exe	83
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 3920	224	chrome.exe	84
PID 224 wrote to memory of 2024	224	chrome.exe	85
PID 224 wrote to memory of 2024	224	chrome.exe	85
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86
PID 224 wrote to memory of 3860	224	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://qptr.ru/4f1f
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa06dfab58,0x7ffa06dfab68,0x7ffa06dfab78
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:2
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3096 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:8
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=912 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2388 --field-trial-handle=1840,i,16234874339529425465,1425603970271894639,131072 /prefetch:1
  2⤵
  PID:4580

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4f6c8735b809966eb7f5129a56a515ec

SHA1
0346ef9a21fb277f4d9f1ae54dcc021de5465794

SHA256
5772baf31633bbcb2861dc6c87ad0b5ace4f261c6be920139589516f510125dd

SHA512
ddf98181cdba42fc78b38fec0dcf8c182dbdc94ce80552dd5500aa376c37eb08a4052213917ec7e0eea5f75818d60e15d051e9a262414e2b5e8c0022abb18f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
a44f6217d59993b858dd12dedef3dacd

SHA1
3ddc1d755563be836bd0798f88c521035b2edb34

SHA256
1939486c1ecc413dc1a4a5f3eee4407de6d4559e4876a3ff6c4b9f278f77adeb

SHA512
2a7bef9921076b41f5723eeadf5c19182e160ec23c91d6609ee49cc8b9a0865e5f216f816560998519605c34462d1dcbe17c592868bbe7200b8e4af7aa454553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7e1823898ea36cd9e9d626e5d490a370

SHA1
3edbf29ec7a1cc26575186fb1a05025d4448a56a

SHA256
4493c07ca34cfcb1829bd6bd0ed8fd9a2a7e81d8b03aff4c00516289c2052e6e

SHA512
5ba2128cb62e89b77f62f86fdc438a790ebeb476de89917d5ebcd2c592fefed83252f97b460588c2df11256e0de644a9da485fa9acca3fad40e69d80be88ea6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
0f275a379e3893d34f3e4a375b7c5638

SHA1
8c09afe3d9979fc75e5a2ce0f88d6c564c5bb47e

SHA256
642f01a5e6cb0ec84920444b09b9fda0b25de8f02f59d93ee8c42c3a4af67e97

SHA512
edc872a3c80f315338f26b1a8ba5c291e1f4f70c91c913a775be1ba10925815fdfecc21dbb78c37ab68ce604d858594f10b54627b957b9ce11d66aef6d0d7c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c01c527eae6b31d889a1768b8243bf9a

SHA1
d53dd0bd7a7f39db8ad1eda0c246c5a57a1d2415

SHA256
6f2608d89211c9f9edf2baba8f9cb24f9b2ca5b9362b737d81e29bd2d2759087

SHA512
a6c729a1bd667c92e0a62b4f7bcd15cdd82473c73dc8ee64f039a56b376a66f4ae20a402eeb3844fdf8729d5dee4f77adcc69c52b80d81f8abbc88ee1756e789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
f98f901a5cc0f6a37b230c6a3e54afa9

SHA1
ee4e65b19fdea2fea4cf24861527d24e1f447195

SHA256
14b0f85cb872f5890903c7a62777e85c7d5c8f865b4a791091e86fa2f9b45ef2

SHA512
b3b06b91c464bbf2b77a6f1e97ffd9396a8014bb4fa6248ed03407beeed3d7997d923c6abf1ff292d7753861c2b0bca143774111048091d92e3d68e6b1a3ad49

Download Submit