Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:38
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://clrtpod.com/
Resource
win10v2004-20241007-en
General
-
Target
http://clrtpod.com/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756619248307858" chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3028 chrome.exe 3028 chrome.exe 2716 chrome.exe 2716 chrome.exe 2716 chrome.exe 2716 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3028 chrome.exe 3028 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe Token: SeShutdownPrivilege 3028 chrome.exe Token: SeCreatePagefilePrivilege 3028 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe 3028 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1876 3028 chrome.exe 83 PID 3028 wrote to memory of 1876 3028 chrome.exe 83 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 344 3028 chrome.exe 84 PID 3028 wrote to memory of 4284 3028 chrome.exe 85 PID 3028 wrote to memory of 4284 3028 chrome.exe 85 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86 PID 3028 wrote to memory of 700 3028 chrome.exe 86
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://clrtpod.com/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffedb00cc40,0x7ffedb00cc4c,0x7ffedb00cc582⤵PID:1876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,4008646998504837979,5718871039997931318,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,4008646998504837979,5718871039997931318,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:32⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,4008646998504837979,5718871039997931318,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2576 /prefetch:82⤵PID:700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3040,i,4008646998504837979,5718871039997931318,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:12⤵PID:1864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,4008646998504837979,5718871039997931318,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:2880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,4008646998504837979,5718871039997931318,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:82⤵PID:996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4400,i,4008646998504837979,5718871039997931318,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5c985444156670aa93a4db67cbe41e0f4
SHA1f202dbc1650d058f4cc7236452d9643643773db0
SHA25629a93809ddfa99a757e77d9fff59bfa711e526f9973cadd74877487577bec4aa
SHA5123bd464f241becb7a842fddf58b7b92a63078537c2a7277f058ad0b63b49f1c8428cc25107639b63796c4631bd1598cf63ed3936e45d8a8ac2c3d314cd4bc9f06
-
Filesize
1KB
MD548a482097da152f863773729e3b8b00b
SHA15430b62296f56c0ac8c4d1ea6eced2921b35ae84
SHA25602f9fe4918791da3e4a163c962a20f1ecbad2a35b358fa76d7e272353e0c6803
SHA512eaae258366855f2ea580c2973d1fcba3190002e1ccb7c36b7b0c63859c99643269238c540b9b120ffbf70001d1d42ac99fb20e50fbd3c36c61c59e681def42b7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5321549f5879368837788a0ef94ab4981
SHA16510c57cdc33765e4bb09b31d67ebf7ef7476236
SHA256eb763fd103738c6de877140890aae242cad9622424aa58aea53bc937c395d7c7
SHA512031aecfed4386f87403ea9e8e80a3ec0e0b748f32120f00b501d589f9ced9ccb0d2648efb1a63e494db90b21c4883824d3e54558bd07c5a4f87a3e1ee9149802
-
Filesize
9KB
MD509b6d051ca46b64c6ee6c7af48c16557
SHA1d5d9fc1c3335d0205897dd8b9d565c91f228d5d4
SHA256c10d54fbcd0f11f3306a4c907823797030ba5088586fff5e306f33c75707c71a
SHA512cefc46e2b0def024aaa4f812110dfbf1bcb544bd62e45dd97797b84cb2f41ecf013e59819737d6255e630ad8a016c36acb92082336166c0601ef08e5f007dac1
-
Filesize
9KB
MD5f4b8afaee33dd63b302e53edfce65b83
SHA16b7f8220d125d7fd3709cf1f9ce63e9a726ff8d9
SHA25619188bf66754e768c2a577462cb312fc5661980ce6461078db3d3e89354bff03
SHA5127c984dd07720d335aa750b9a6b85c96a500a24e7b9d9b89b7a201c3b3bbfd957536f889cc49a52cbc4fe321057b6ed5c916c602fa1d161564e14d00e7a5c2918
-
Filesize
9KB
MD596f0a6159713e9bcf223ddfaf6aba203
SHA1aae326f964dff80687d7d7c4248564e6a0791db3
SHA256924494fefd4b6db0b238622c88ee697be361432c07d6ccd8a0f3fd194168d11d
SHA512c1f4663f86e3029dd3f301fb49f821fb5a80e493e6730d1c7688caa3856f995ea1b587c9c0b3bb26dcca771ff03ee2cdf68fcf511bb86ceb59ac50e29ace8574
-
Filesize
9KB
MD55016121ddaf6bcb2e72962c51461e80f
SHA1e32fbbc0906b2c982c0d05e914f8ed6066d8f6a1
SHA256f0a90e1c81a5468429e355703d0eca3fc22d1a9b93e18bb986fe65d8ed60a928
SHA512af77625c959b0b0518d5c5a7fc0f25d3e4c5901ecd89ab3c18a81c0faabde238e2d1c3c6dbc839d7412625f7cf0c68448a65b5a9ec18f7819a756004dc7eb146
-
Filesize
9KB
MD54e7fcfa8550c2b1bf777d16216f96ab2
SHA148ceacae39c6e1201997d69928d4a4bc09119463
SHA2569e91faa6743f84047e6643896edb929cfa821983513d4b961ab77c3cc14a02b2
SHA5123420235e9947d40fbf21d954b86a8420f82a9ab2b718bc517490a3668a875d84142b14a8a1b38591f43484197592c92358d871499476eab1ae222278340033e3
-
Filesize
9KB
MD55a45afd93eb7f6e4359e61944712def7
SHA103bc62661f65766f50459705da11ae886e4cb813
SHA256ead6c02dcb803c23fb6b7c1f5599bd0c8301eeda20b116da5df0438288a5bb70
SHA5123a8f5ed322e4e0238481d48cfd4e08bfa0f49d47be75a9b611845da8a20975a4d6118be7a76ec070dd49ef1a4671f3a992088717333d474986a263ac3be4adb6
-
Filesize
116KB
MD59296b80b704f1cf3280e65aced2fcf52
SHA1e74a8f5c642d033b79e2beb8bb2b411e2f0020ef
SHA256dc130ed5c073de06d9e6cc29049967503d6e211e328b6648a5c4905c494bdf20
SHA5123a23265009be609bb012a428e929a3ca65699f2f189210440f0353197631d04633c81e27d7768f13af987fc218e3c8f75f9f91f77842e5b1ef5b7527e7368ba5
-
Filesize
116KB
MD51978bc5edf03b62e20b5dad5ddd7b30a
SHA182581d6bf386007a7140d0cb09f0cdcf05afa8fa
SHA2564d0ff6fd24c3029d5cea2c5a882a9fef693bdccae9d516c1200e3e482b873b43
SHA51278eb38a52d0e90cf506a6f00e37ddbeedeacd6e716ad6a9e7ed8d1e22b805165f15cc88bdbdbb5535d06a85d8561586a5531a26174a2547ffda75d9109a46290