Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PAYMENT FORM.pdf.shtml

HTML document, ISO-8859 text, with CRLF line terminators

initial sample

Details

Filetype:	HTML document, ISO-8859 text, with CRLF line terminators
Entropy:	5.270324452540122
Filename:	PAYMENT FORM.pdf.shtml
Filesize:	4148
MD5:	23f212782a200830b900150b7f10c60b
SHA1:	e9874805219b812cfc629d310d78266cac9ee7b0
SHA256:	e90c3b9b5355a0b2291b644ed190d3b68c38e09884020939fc8e547802d724c9
SHA512:	f77a6307c2f89a48695fce32c628b870dc1c0da6f2a8bb63801903790d1475e5c3011f03108deccabb35fb8733236d1569648d4c9fc68c551408830520f6b1cf
SSDEEP:	96:T7N92iVLQFlqqBA8mWm5AbaJLbE8JLI0dyL7juLkLTwbqknqNO6qx+tQ2COvd:9VLQFlqqBA8tRbaJL7JLhdyLnUkLWqIu
Preview:	<html>..<head>...<meta name="viewport" content="width=device-width, initial-scale=1">...<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />...<title>ADG Fasteners Inc. </title>.....<style>..body, html { height: 100%;margin: 0; font-family: Ar

Signature Hits	Behavior Group	Mitre Attack
HTML document with suspicious name	System Summary
URLs found in memory or binary data	Networking

Chrome Cache Entry: 133

JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 236x305, components 3

dropped

Details

File:	Chrome Cache Entry: 133
Category:	dropped
Dump:	chromecache_133.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 236x305, components 3
Entropy:	7.9205505317109415
Encrypted:	false
Ssdeep:	192:o20Ar2jztQ9Fm5Gbs2/z/ZWPunO6r7PlFBoOVmawJNBlIoygh1N9wHeVeH:o8rGexb7K10BFB1ViJFTygh1rW
Size:	12673
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 134

JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 236x305, components 3

downloaded

Details

File:	Chrome Cache Entry: 134
Category:	downloaded
Dump:	chromecache_134.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 236x305, components 3
Entropy:	7.9205505317109415
Encrypted:	false
Ssdeep:	192:o20Ar2jztQ9Fm5Gbs2/z/ZWPunO6r7PlFBoOVmawJNBlIoygh1N9wHeVeH:o8rGexb7K10BFB1ViJFTygh1rW
Size:	12673
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 135

PNG image data, 300 x 168, 8-bit colormap, non-interlaced

downloaded

Details

File:	Chrome Cache Entry: 135
Category:	downloaded
Dump:	chromecache_135.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PNG image data, 300 x 168, 8-bit colormap, non-interlaced
Entropy:	7.918895525600194
Encrypted:	false
Ssdeep:	96:Rf7Nxipdnw+hs0YauR2lgd9WV35U8sGfmFrULqBx7:xN4Ths0YvslgdEUlGeFrf7
Size:	4294
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 136

PNG image data, 300 x 168, 8-bit colormap, non-interlaced

dropped

Details

File:	Chrome Cache Entry: 136
Category:	dropped
Dump:	chromecache_136.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PNG image data, 300 x 168, 8-bit colormap, non-interlaced
Entropy:	7.918895525600194
Encrypted:	false
Ssdeep:	96:Rf7Nxipdnw+hs0YauR2lgd9WV35U8sGfmFrULqBx7:xN4Ths0YvslgdEUlGeFrf7
Size:	4294
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank

Details

Is windows:	true
Is dropped:	false
PID:	1972
Target ID:	0
Parent PID:	400
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	00:32:13
Date:	21/03/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff683680000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1696,i,11738228780153301006,12006418429625946186,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	5900
Target ID:	1
Parent PID:	1972
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1696,i,11738228780153301006,12006418429625946186,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	00:32:14
Date:	21/03/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff683680000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\PAYMENT FORM.pdf.shtml

Details

Is windows:	true
Is dropped:	false
PID:	6164
Target ID:	2
Parent PID:	400
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\PAYMENT FORM.pdf.shtml
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	00:32:15
Date:	21/03/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff683680000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml

Details

Name:	file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Phishing site detected (based on logo template match)	Phishing
HTML body contains low number of good links	Phishing
No HTML title found	Phishing
None HTTPS page querying sensitive user data (password, username or email)	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

https://www.google.com/url?q

unknown

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1

142.250.203.110

https://i.pinimg.com/236x/46/85/2d/46852dd5fa51b69bdf5cc5c65c718ed9.jpg

146.75.120.84

Details

Name:	https://i.pinimg.com/236x/46/85/2d/46852dd5fa51b69bdf5cc5c65c718ed9.jpg
IP:	146.75.120.84
TargetID:	1
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://formspree.io/f/xeqwznlj

unknown

https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard

142.250.203.109

Domains

Name

Malicious

accounts.google.com

142.250.203.109

Details

Name:	accounts.google.com
IP:	142.250.203.109
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

dualstack.pinterest.map.fastly.net

146.75.120.84

www.google.com

142.250.203.100

Details

Name:	www.google.com
IP:	142.250.203.100
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

clients.l.google.com

142.250.203.110

clients2.google.com

unknown

Details

Name:	clients2.google.com
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

i.pinimg.com

unknown

Details

Name:	i.pinimg.com
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

192.168.2.1

unknown

239.255.255.250

unknown

Reserved

142.250.203.100

www.google.com

United States

142.250.203.110

clients.l.google.com

United States

127.0.0.1

unknown

142.250.203.109

accounts.google.com

United States

146.75.120.84

dualstack.pinterest.map.fastly.net

Sweden

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

ahfgeienlihckogmohjhadlkjgocpleb

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

gdaefkejpgkiemlaofpalmlakkmbjdnl

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

kmendfapggjehodndflmmgagdbamhnfd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

mhjfbmdgcfjbbpaeojofohoefgiehjai

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

neajdppkdcdipfabeoofebfddakdcjhd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nkeimhogjdpnpccoofpliimaahmaaome

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

prefs.preference_reset_time

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\LastWasDefault

S-1-5-21-3853321935-2125563209-4053062332-1002

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

gdaefkejpgkiemlaofpalmlakkmbjdnl

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

kmendfapggjehodndflmmgagdbamhnfd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

neajdppkdcdipfabeoofebfddakdcjhd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nkeimhogjdpnpccoofpliimaahmaaome

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics

user_experience_metrics.stability.exited_cleanly

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

media.cdm.origin_data

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.reporting

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

media.storage_id_salt

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.last_account_id

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.account_id

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_startup_urls

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_homepage

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

module_blocklist_cache_md5_digest

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.prompt_seed

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

default_search_provider_data.template_url_data

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

safebrowsing.incidents_sent

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

pinned_tabs

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

browser.show_home_button

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

search_provider_overrides

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_default_search

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

prefs.preference_reset_time

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.prompt_version

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.last_username

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

session.startup_urls

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

session.restore_on_startup

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.prompt_wave

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

homepage

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

homepage_is_newtabpage

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

lastrun

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

lastrun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\LastWasDefault

S-1-5-21-3853321935-2125563209-4053062332-1002

HKEY_USERSS-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry

TraceTimeLast

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

There are 43 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

98FA7F000

stack

page read and write

18EF71B0000

trusted library allocation

page read and write

18EF8080000

trusted library allocation

page read and write

18EF7E40000

trusted library allocation

page read and write

18EF6FD0000

heap

page read and write

18EF720B000

heap

page read and write

18EF7208000

heap

page read and write

18EF7221000

heap

page read and write

18EF7210000

heap

page read and write

98F7F9000

stack

page read and write

98F67B000

stack

page read and write

18EF80E0000

trusted library allocation

page read and write

18EF71A0000

trusted library allocation

page read and write

18EF8090000

trusted library allocation

page read and write

18EF7210000

heap

page read and write

18EF71D0000

heap

page read and write

18EF7489000

heap

page read and write

18EF6FE0000

trusted library allocation

page read and write

18EF7130000

heap

page read and write

18EF71C8000

heap

page read and write

18EF7450000

trusted library allocation

page read and write

18EF7210000

heap

page read and write

18EF71C0000

heap

page read and write

98F9F9000

stack

page read and write

98F879000

stack

page read and write

18EF7490000

trusted library allocation

page read and write

18EF8070000

heap

page readonly

18EF7480000

heap

page read and write

98F8FE000

stack

page read and write

18EF7485000

heap

page read and write

18EF7470000

trusted library allocation

page read and write

18EF7110000

heap

page read and write

There are 22 hidden memdumps, click here to show them.

DOM / HTML

URL

Malicious

file:///C:/Users/user/Desktop/PAYMENT%20FORM.pdf.shtml

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PAYMENT FORM.pdf.shtml

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPAYMENT FORM.pdf.shtml

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

DOM / HTML

IOC Report
PAYMENT FORM.pdf.shtml