hxxps://phisher-parts-production-eu-west-1[.]s3[.]eu-west-1[.]amazonaws[.]com/331f1185-2a2d-4d80-a09c-a778676cd6f5/2024-11-20/4hq2k2nq7n2b5tjt6repcuruhhms41vrd17tvo81/f68f0c2a22999cf172b5efa9971207fa7c5fb4f5df7201d9cceba29026548d96?response-content-disposition=attachment%3B%20filename%3D%22Transaction_Verification_zina_CJOGBPURZK[.]html%22%3B%20filename%2A%3DUTF-8%27%27Transaction_Verification_zina_CJOGBPURZK[.]html&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QCUXUSZ56%2F20241120%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20241120T160309Z&X-Amz-Expires=8580&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJGMEQCIG%2BiWMHOotkGbND67rwZGpYMjtOVWGPPhwyoY5aTcsjHAiA9NfH8TnFEqoGq14RsGHX2VxfDAuNvAMwxG11o%2FFJG2yqIBAiN%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDgyMzE5MzI2NTgyNCIM3HwVBjUdRBSzMTIMKtwDjRaaEZY7N37f5i%2BDj4ab1UftQF0ctz6%2Bo7EP7fVr1n%2FmkoPMUsHcr7F1u3xOgqulf7rc1KuXNQxT29n8TQ%2Bcd%2B%2Fw%2FvCAyneM5e1JGABgbmJQ4XCbKL1ZItR69QsEGxv0TWYsBoTd1mTzKgYkVlpw84TqdG1ZY%2BCwUyZtdcqwHhI%2FH7PNw7I8OhYQiZz2y8a7KrxahyPfWqktcXIvwJF0KVILh6dh2C527tILgisbGjaSngjShoymQriSp65Z5le5j295VJl4kv0rTyrH3yYYijLCpM%2FO9poJG%2BpJWJA6oCFqB%2FeqFh6JUJunymMxdDeKXH1%2FcF%2FaCCFz0MRJY4OFhbTIh5RZb2R1ZBlKZ9XBPwtfaI17bxjH1rp7pdsUXrFDSMqG6%2BuEXj5eowsHShP49DCdiMlkjG31HbwHn6kAKF3vzwRSwkG%2BlsuykoAy5qxxdo0y1lZWuE9ntrPDFxq4xoEVGl0issKPfGsl2Ibz%2FwmDwXXYGBC7OXlEZv4Iw4r9FXFbijS4M6vNACugfE8rVGx0y%2BOsKDew7DYpaC7WjgcNHNAMIVWw5oryW6oIkVTOxNwlPBorZk8brWAyy6UdeMKzIbsX%2Fx3tZjDFd1WECDsZKAuJe8p6b8iqj6Iw4ar3uQY6pgHtYcTFoFKS3L3pZ0ezM9yH8sNqOjevDL8OjcvXpqoCXGpZBQ%2FFxZ%2BDGIiZe0jDxb2MKCW1YV0abvOsTD13Rs%2FklnnzmkyqFxgKEejGSwfWkmjvlyfeDZX1R3TcM2bx3M32GWjFMeNsurwdFQsbW%2FTlqkl8H9cOijRpE%2FtOBLSU6DH%2F%2FSjGi3m%2FnxY%2Fxae3uF5DGiQ66xqYTmsQyb8IqhXCp%2B4gaz2u&X-Amz-SignedHeaders=host&X-Amz-Signature=8a728cae731e085e82472d5f55ba06eb8d1722bc6d1b07fe5ccb2f8a72c389b5

Analysis

max time kernel
47s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 16:03

Sharing

Behavioral task

behavioral1

Sample

https://phisher-parts-production-eu-west-1.s3.eu-west-1.amazonaws.com/331f1185-2a2d-4d80-a09c-a778676cd6f5/2024-11-20/4hq2k2nq7n2b5tjt6repcuruhhms41vrd17tvo81/f68f0c2a22999cf172b5efa9971207fa7c5fb4f5df7201d9cceba29026548d96?response-content-disposition=attachment%3B%20filename%3D%22Transaction_Verification_zina_CJOGBPURZK.html%22%3B%20filename%2A%3DUTF-8%27%27Transaction_Verification_zina_CJOGBPURZK.html&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QCUXUSZ56%2F20241120%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20241120T160309Z&X-Amz-Expires=8580&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJGMEQCIG%2BiWMHOotkGbND67rwZGpYMjtOVWGPPhwyoY5aTcsjHAiA9NfH8TnFEqoGq14RsGHX2VxfDAuNvAMwxG11o%2FFJG2yqIBAiN%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDgyMzE5MzI2NTgyNCIM3HwVBjUdRBSzMTIMKtwDjRaaEZY7N37f5i%2BDj4ab1UftQF0ctz6%2Bo7EP7fVr1n%2FmkoPMUsHcr7F1u3xOgqulf7rc1KuXNQxT29n8TQ%2Bcd%2B%2Fw%2FvCAyneM5e1JGABgbmJQ4XCbKL1ZItR69QsEGxv0TWYsBoTd1mTzKgYkVlpw84TqdG1ZY%2BCwUyZtdcqwHhI%2FH7PNw7I8OhYQiZz2y8a7KrxahyPfWqktcXIvwJF0KVILh6dh2C527tILgisbGjaSngjShoymQriSp65Z5le5j295VJl4kv0rTyrH3yYYijLCpM%2FO9poJG%2BpJWJA6oCFqB%2FeqFh6JUJunymMxdDeKXH1%2FcF%2FaCCFz0MRJY4OFhbTIh5RZb2R1ZBlKZ9XBPwtfaI17bxjH1rp7pdsUXrFDSMqG6%2BuEXj5eowsHShP49DCdiMlkjG31HbwHn6kAKF3vzwRSwkG%2BlsuykoAy5qxxdo0y1lZWuE9ntrPDFxq4xoEVGl0issKPfGsl2Ibz%2FwmDwXXYGBC7OXlEZv4Iw4r9FXFbijS4M6vNACugfE8rVGx0y%2BOsKDew7DYpaC7WjgcNHNAMIVWw5oryW6oIkVTOxNwlPBorZk8brWAyy6UdeMKzIbsX%2Fx3tZjDFd1WECDsZKAuJe8p6b8iqj6Iw4ar3uQY6pgHtYcTFoFKS3L3pZ0ezM9yH8sNqOjevDL8OjcvXpqoCXGpZBQ%2FFxZ%2BDGIiZe0jDxb2MKCW1YV0abvOsTD13Rs%2FklnnzmkyqFxgKEejGSwfWkmjvlyfeDZX1R3TcM2bx3M32GWjFMeNsurwdFQsbW%2FTlqkl8H9cOijRpE%2FtOBLSU6DH%2F%2FSjGi3m%2FnxY%2Fxae3uF5DGiQ66xqYTmsQyb8IqhXCp%2B4gaz2u&X-Amz-SignedHeaders=host&X-Amz-Signature=8a728cae731e085e82472d5f55ba06eb8d1722bc6d1b07fe5ccb2f8a72c389b5

Resource

win10v2004-20241007-en

windows10-2004-x64

11 signatures

150 seconds

Report Analysis Logs

General

Target

https://phisher-parts-production-eu-west-1.s3.eu-west-1.amazonaws.com/331f1185-2a2d-4d80-a09c-a778676cd6f5/2024-11-20/4hq2k2nq7n2b5tjt6repcuruhhms41vrd17tvo81/f68f0c2a22999cf172b5efa9971207fa7c5fb4f5df7201d9cceba29026548d96?response-content-disposition=attachment%3B%20filename%3D%22Transaction_Verification_zina_CJOGBPURZK.html%22%3B%20filename%2A%3DUTF-8%27%27Transaction_Verification_zina_CJOGBPURZK.html&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QCUXUSZ56%2F20241120%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20241120T160309Z&X-Amz-Expires=8580&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJGMEQCIG%2BiWMHOotkGbND67rwZGpYMjtOVWGPPhwyoY5aTcsjHAiA9NfH8TnFEqoGq14RsGHX2VxfDAuNvAMwxG11o%2FFJG2yqIBAiN%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDgyMzE5MzI2NTgyNCIM3HwVBjUdRBSzMTIMKtwDjRaaEZY7N37f5i%2BDj4ab1UftQF0ctz6%2Bo7EP7fVr1n%2FmkoPMUsHcr7F1u3xOgqulf7rc1KuXNQxT29n8TQ%2Bcd%2B%2Fw%2FvCAyneM5e1JGABgbmJQ4XCbKL1ZItR69QsEGxv0TWYsBoTd1mTzKgYkVlpw84TqdG1ZY%2BCwUyZtdcqwHhI%2FH7PNw7I8OhYQiZz2y8a7KrxahyPfWqktcXIvwJF0KVILh6dh2C527tILgisbGjaSngjShoymQriSp65Z5le5j295VJl4kv0rTyrH3yYYijLCpM%2FO9poJG%2BpJWJA6oCFqB%2FeqFh6JUJunymMxdDeKXH1%2FcF%2FaCCFz0MRJY4OFhbTIh5RZb2R1ZBlKZ9XBPwtfaI17bxjH1rp7pdsUXrFDSMqG6%2BuEXj5eowsHShP49DCdiMlkjG31HbwHn6kAKF3vzwRSwkG%2BlsuykoAy5qxxdo0y1lZWuE9ntrPDFxq4xoEVGl0issKPfGsl2Ibz%2FwmDwXXYGBC7OXlEZv4Iw4r9FXFbijS4M6vNACugfE8rVGx0y%2BOsKDew7DYpaC7WjgcNHNAMIVWw5oryW6oIkVTOxNwlPBorZk8brWAyy6UdeMKzIbsX%2Fx3tZjDFd1WECDsZKAuJe8p6b8iqj6Iw4ar3uQY6pgHtYcTFoFKS3L3pZ0ezM9yH8sNqOjevDL8OjcvXpqoCXGpZBQ%2FFxZ%2BDGIiZe0jDxb2MKCW1YV0abvOsTD13Rs%2FklnnzmkyqFxgKEejGSwfWkmjvlyfeDZX1R3TcM2bx3M32GWjFMeNsurwdFQsbW%2FTlqkl8H9cOijRpE%2FtOBLSU6DH%2F%2FSjGi3m%2FnxY%2Fxae3uF5DGiQ66xqYTmsQyb8IqhXCp%2B4gaz2u&X-Amz-SignedHeaders=host&X-Amz-Signature=8a728cae731e085e82472d5f55ba06eb8d1722bc6d1b07fe5ccb2f8a72c389b5

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765922731691965"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4544	3788	chrome.exe	82
PID 3788 wrote to memory of 4544	3788	chrome.exe	82
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 4016	3788	chrome.exe	83
PID 3788 wrote to memory of 2384	3788	chrome.exe	84
PID 3788 wrote to memory of 2384	3788	chrome.exe	84
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85
PID 3788 wrote to memory of 2780	3788	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://phisher-parts-production-eu-west-1.s3.eu-west-1.amazonaws.com/331f1185-2a2d-4d80-a09c-a778676cd6f5/2024-11-20/4hq2k2nq7n2b5tjt6repcuruhhms41vrd17tvo81/f68f0c2a22999cf172b5efa9971207fa7c5fb4f5df7201d9cceba29026548d96?response-content-disposition=attachment%3B%20filename%3D%22Transaction_Verification_zina_CJOGBPURZK.html%22%3B%20filename%2A%3DUTF-8%27%27Transaction_Verification_zina_CJOGBPURZK.html&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QCUXUSZ56%2F20241120%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20241120T160309Z&X-Amz-Expires=8580&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJGMEQCIG%2BiWMHOotkGbND67rwZGpYMjtOVWGPPhwyoY5aTcsjHAiA9NfH8TnFEqoGq14RsGHX2VxfDAuNvAMwxG11o%2FFJG2yqIBAiN%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDgyMzE5MzI2NTgyNCIM3HwVBjUdRBSzMTIMKtwDjRaaEZY7N37f5i%2BDj4ab1UftQF0ctz6%2Bo7EP7fVr1n%2FmkoPMUsHcr7F1u3xOgqulf7rc1KuXNQxT29n8TQ%2Bcd%2B%2Fw%2FvCAyneM5e1JGABgbmJQ4XCbKL1ZItR69QsEGxv0TWYsBoTd1mTzKgYkVlpw84TqdG1ZY%2BCwUyZtdcqwHhI%2FH7PNw7I8OhYQiZz2y8a7KrxahyPfWqktcXIvwJF0KVILh6dh2C527tILgisbGjaSngjShoymQriSp65Z5le5j295VJl4kv0rTyrH3yYYijLCpM%2FO9poJG%2BpJWJA6oCFqB%2FeqFh6JUJunymMxdDeKXH1%2FcF%2FaCCFz0MRJY4OFhbTIh5RZb2R1ZBlKZ9XBPwtfaI17bxjH1rp7pdsUXrFDSMqG6%2BuEXj5eowsHShP49DCdiMlkjG31HbwHn6kAKF3vzwRSwkG%2BlsuykoAy5qxxdo0y1lZWuE9ntrPDFxq4xoEVGl0issKPfGsl2Ibz%2FwmDwXXYGBC7OXlEZv4Iw4r9FXFbijS4M6vNACugfE8rVGx0y%2BOsKDew7DYpaC7WjgcNHNAMIVWw5oryW6oIkVTOxNwlPBorZk8brWAyy6UdeMKzIbsX%2Fx3tZjDFd1WECDsZKAuJe8p6b8iqj6Iw4ar3uQY6pgHtYcTFoFKS3L3pZ0ezM9yH8sNqOjevDL8OjcvXpqoCXGpZBQ%2FFxZ%2BDGIiZe0jDxb2MKCW1YV0abvOsTD13Rs%2FklnnzmkyqFxgKEejGSwfWkmjvlyfeDZX1R3TcM2bx3M32GWjFMeNsurwdFQsbW%2FTlqkl8H9cOijRpE%2FtOBLSU6DH%2F%2FSjGi3m%2FnxY%2Fxae3uF5DGiQ66xqYTmsQyb8IqhXCp%2B4gaz2u&X-Amz-SignedHeaders=host&X-Amz-Signature=8a728cae731e085e82472d5f55ba06eb8d1722bc6d1b07fe5ccb2f8a72c389b5
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffda8d3cc40,0x7ffda8d3cc4c,0x7ffda8d3cc58
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4544,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3112,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4320,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4328 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5324,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3768,i,7900049213197737346,3947761899938126935,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4264

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9291e6966c7722f359b2e971f0fba8b1

SHA1
8ad12701264a3a199ff9727c09c875b4e26a5e24

SHA256
63b57661f31a99f897fdadca67ed027769a01ecde22084db838133a303e3a4f2

SHA512
df9b6480f6b1bf71144ee30902a5feae3876b17103a4d2879ec770f4a6897b2cec2fd80bba2c0baff118a10d935532a28765ddfeae167d06381d621a34fd76ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
31d0f59a81f21315a350fb008f8c3e45

SHA1
f0c57e81a836ccf9ca14f3842be8c8a7929b0f5e

SHA256
7d35940aa85d35683eeca4d4987fb19378fb58b7fbd9fd6767c4966df5f9196b

SHA512
84802fe27ca5c50b5bbde2db1c120403bae580d606d453684d0417d34896f8b8c8fb7b3bb3abce41453fff95bc20a2873434a89e3b3d51302df384f0f5d18041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59953215946c0e3d21a7e2acdfa46828

SHA1
8031c929894cdd1434981a55d0429f7f8f8252f1

SHA256
ebaf829acef2af2fd21826196cad2b69b944350ee99f30dd06a208b8b70b71af

SHA512
25cb1463192c4ac5b684c5cddc0b7c4bb31ff0cd34c97e7669fc27d4b99ae783992f82c7a0dd2586f1a5fbfa101105e2e7774c8b1cd5a561e3ae9f31bfd3f007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
cb3fb87fb7be513c4431d25e3d528610

SHA1
8ba3069e1f0dd57bf394a15e5070721936fc3b14

SHA256
5d2a70aeb622abb68e18384f0566216e9d3519b17385a4c1f320900ad4944bf1

SHA512
ea102539d4e2241840bb19519d797cf117eb73bad134ee5ec10b86bf3c28950952a8f221a26cf2ec0468aff4a2349897883c770d3f27de5bae9eafcead5fdac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
4b4ee22f1f5960422e3807e9e5e5f09d

SHA1
7003238c4e14bd34d2e990591dd11ea4b69f2db0

SHA256
d6f2edc021bef388a7ce9b71e2f5054928ef46d8108cf6cf12d3547942e2390d

SHA512
6cea2b65ba2214466689c276501bf83ce23eea0ca02a588ba63bc54bd426774fef90701041b75f7cf2eec97cc01ea202d087774d9551b4f35441de7083828088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
653b0c7f9ac14fcfed284608d942a002

SHA1
a4bd5d8222136dc1ebda55a91006dc0210a27d9d

SHA256
b7ad7d5f69645bf95092270b7bde30c5b5ba75e5fc6c1f74eb93e7ff78ca273b

SHA512
a533cfd5d67c9a17ab8cb5d0d885b3094cc34990187a49f82581e0c90b7caa30608f744f736e41323271c5288710c769627318156abcfa9c55f006a300b34733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f20de5b0f23b513c9b80ca61b2f68382

SHA1
a0b2866e10c3d41a5a22f6b0fe59ea422ccd0cd6

SHA256
a5523f3512a6d9dcf9a3f087b8a71158cf614f63204765f333a133071d23f18d

SHA512
8efddf2fb54978fb721541630879910c7c84489ea1556a5c2b738dcea0de95e5b79b7b3888ecaca4aedb61fb072acd01fea27d17f1dfc9adf4ebb5010474cfde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3e3d83d10e91059b636a0e08be436ad5

SHA1
fef4d9b492f85c299fbeedef49c65854ac471532

SHA256
3bba32cce3398f87ea80e3b39f1fa94a87011917ae5b87a7047f2df5dc212900

SHA512
d773297f6405f027afe5d6797e9a7a5e13c1cb2bd0bd8b6e6d7a0f7a20ad519ffbcbf5549df6635f4936c01bad740355e2c8219db7f19be5be59ba6d715c2432

Download Submit
C:\Users\Admin\Downloads\Transaction_Verification_zina_CJOGBPURZK.html

Filesize
3KB

MD5
dfffd6b3c7abe330f43193074036ada5

SHA1
585189395a55e29e049f090e5697dbde97b029b5

SHA256
f68f0c2a22999cf172b5efa9971207fa7c5fb4f5df7201d9cceba29026548d96

SHA512
f2e996713a34171b27b313e05d86456afc9ad502d6f0b114820db6ec388c1903296421d400a6aaef05f55ab49c42bee769c1dfd46913daa75df66985f366b346

Download Submit