hxxps://krs[.]microsoft[.]com/redirect?id=-crYd9Lj

Analysis

max time kernel
33s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-de
resource tags

arch:x64arch:x86image:win10v2004-20241007-delocale:de-deos:windows10-2004-x64systemwindows
submitted
28-11-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://krs.microsoft.com/redirect?id=-crYd9Lj

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772647672825742"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3000	3140	chrome.exe	83
PID 3140 wrote to memory of 3000	3140	chrome.exe	83
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 2164	3140	chrome.exe	84
PID 3140 wrote to memory of 4392	3140	chrome.exe	85
PID 3140 wrote to memory of 4392	3140	chrome.exe	85
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86
PID 3140 wrote to memory of 3376	3140	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://krs.microsoft.com/redirect?id=-crYd9Lj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffabb75cc40,0x7ffabb75cc4c,0x7ffabb75cc58
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4936,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4856,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5164,i,12950962225112887168,4373115893812868664,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:1204

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0c7e722b8aaa5d2ed74fac29cbb6b277

SHA1
f1e9bca90329302638166207d5b92f9fd6982936

SHA256
119dc92b768578a70cb09d167fbc5013233d19ea6b7c8427fc76073faf6cffb5

SHA512
2f5205331b2cb7186671a6c3981348b871d1b38cc8021611608e6c0895d0f0e99fbb424ab76d49c8aadb23cad631dd7f3948d466cc46634188b6eb20700d4fbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
d2e6417110cb6477b2fced1c817749e8

SHA1
7507178934eee81a0a8268ebf84ea7cd8b18650e

SHA256
82fe3a5e31b6eec35aaf6e0b5de6c39edfef55ae09731e8e9f5eaf80d9ea80ea

SHA512
ca3e63437e70251904333fd4b3e323b9250e4f92f3f90a6605cdd00809b583673457896c821659e67d35135bb776c0cc7b46158ef30cf2ba13faba54d6ce8286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b4cf1074ffb1ca6e7100d2ce302452e9

SHA1
23d0c8162c487e2ba3ed34abe7c2d9f9a2776d0f

SHA256
f0144a7cc271ae601184993204ecb119593fd95a7e730153d5b80e6b5cbfd82e

SHA512
70494297b3b68b8e480aec97f89ff65c64a41165aae75e4573750b7e04e9042a9c18c3f72341ac356a84c366669757f31d90f96add20c365d4fe8fc5a63d21e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
97adbc0afb63cc6f8dae36b7ee9c9976

SHA1
99b5fe37dea4ebcd035246282f0d9f6ff947cc30

SHA256
2e58a4c129b2e5a024d0d0f28b23f10e0a73161ced566f694654d7e9ad0df1c4

SHA512
73dad6f49e2eb230d9a87d7b876f4146de5f279a67d9b6c93412c7beda97077a7436a1d9b0c89e5917c275ac1cb2eabcf8386d19d46f4b22d76a21ad11b43eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
807979901b5dfdd68104c31fc08d9078

SHA1
a1bc379d3ab93476a4b98ecc581b490aed740130

SHA256
69cd57e7b1dfc68a520124c5444fab5169a0b831f8aa640bacfd853fdcd26849

SHA512
f20720c13d075f1e7f5cdc3448e523fa1337a77d4d8a609d97d1894da649e0defc4c74678157feb44db1c7dee0ca1dd7e81abaaaf791fac57852994038d0a024

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
222e33e276b8b1562647df8b79adb550

SHA1
f817bc9a8e69d3c2445c83912b48c75ccdafbf29

SHA256
d5b76c06d7018af53372564f795562324ef0932bb24854fbcb62447939bcb574

SHA512
56585c5df6b6c47d7e490c2d6f62bc236b40a7eda5e9de6b73c037da685d249fdbaf21d3ed4c7afda50dab8ed7eae1e8c89dedc9aa14a4745586ce3863d907e0

Download Submit