hxxps://google[.]com[.]ua/amp/s/google[.]com[.]ag%2Famp%2Fgoogle[.]com%252Furl%253Fq%253Dhttp%25253A%25252F%25252Fazahargerallt[.]online%2526sa%253DD%2526sntz%253D1%2526usg%253DAOvVaw0rrV1nVfVd0fEaAqbOuEo9#?total=awdaw@yahoo[.]com

Analysis

max time kernel
110s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://google.com.ua/amp/s/google.com.ag%2Famp%2Fgoogle.com%252Furl%253Fq%253Dhttp%25253A%25252F%25252Fazahargerallt.online%2526sa%253DD%2526sntz%253D1%2526usg%253DAOvVaw0rrV1nVfVd0fEaAqbOuEo9#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133410741689057060"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3756	3052	chrome.exe	82
PID 3052 wrote to memory of 3756	3052	chrome.exe	82
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 1496	3052	chrome.exe	85
PID 3052 wrote to memory of 2504	3052	chrome.exe	84
PID 3052 wrote to memory of 2504	3052	chrome.exe	84
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86
PID 3052 wrote to memory of 3688	3052	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://google.com.ua/amp/s/google.com.ag%2Famp%2Fgoogle.com%252Furl%253Fq%253Dhttp%25253A%25252F%25252Fazahargerallt.online%2526sa%253DD%2526sntz%253D1%2526usg%253DAOvVaw0rrV1nVfVd0fEaAqbOuEo9#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff78979758,0x7fff78979768,0x7fff78979778
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:2
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4748 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:1
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4496 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4724 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:8
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 --field-trial-handle=1996,i,15382932654459802401,11585940093625550537,131072 /prefetch:8
  2⤵
  PID:1844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
dc6b0a321057bee986bd1cab10a07756

SHA1
a439d151847102d021a5510a1c46444cde30040b

SHA256
a0b09b3ca205f23fbd8a7863df2574d798f86a480976a59c3644181de7bc683a

SHA512
183dd777a3770eb3c9ab0213ee072580e34e8d197f55a4bf7bd10a29f53e9eee3d678820d6d82dd18fe82c9d56e757d93f02677dc8322c451496bc2b02cb9433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c23c4c9393ec4467ff8ed89d99889369

SHA1
39d7df94e52ea04e32f58c231a53b60ebf4e0710

SHA256
eaf92269b6ad782e1167da390ce36bb9b2ebbf3eed7f020d05ef24f7330a8911

SHA512
c7c5e09f870d8a5a3dbed3e4269bd7dec50bbdc1ccba51f94321b8aaf27cf9f02f311e6e2d64957a752a3f041af1cbf16fde57b4ff7854036ae5426e89371765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
6e6d3431ec653ac6371dc0cc94b819e4

SHA1
f419d577f2dda9e77dab4462a792377a70099181

SHA256
a3d9e345fe82814fd5f18fded02cfc35e4190a1811d493d1962f0b227ea70c7e

SHA512
ae826df4ddfff9561701441f5c6117d26705f850a112c8cf1490c75f77425c9ca3b70b78f70d0ce42b0ff1039bd987ff830537c387f60ed832e1cd8d4d36a17c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4f13e6fc62e2fbf770b0d52399e6ce39

SHA1
8f6880c524b56a4ac527c62929a330ef7dd2f97e

SHA256
62ba78938ac92ba59355823ec5efaafefccdedaa6230891da30d2d9ca276fd4d

SHA512
532ccdd44d79ae75aa769b5642b1546fa9648a7d2ed74acc58af6032beec57028b91c8ee446e8eb763f862c8fb7592ccdcf699a125a05485e57e53280691ba07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cba24a1c290a09444ec287c214cf34a2

SHA1
c614c29fef73259862335039d60caebc18f08f6e

SHA256
c6e6aba0e6e31713149c03696c65d2f82128610044fd04610aa60e6fae4ad2cc

SHA512
b19ae7f9fa5e1220089a7ada4cc91639c053d935e61827bcaa139d8b37b0f128bb272b94fdb18e456081cb1c8af16bd0759e1b0681f09e77464808db73518c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
dd858a670e19b5130b70e934c26c2a45

SHA1
3620c34bde9618b23534a3eae79383dbc7f30d9c

SHA256
ece7be7c9b1af12d0a18a462613c455837ee91750a57b9caccae15864715dd06

SHA512
a8d02901a9fae7696a409d64149842cff30da6365eb0f50b490d91c5242416cd67b06a300fa6301552c3e0e1228efacbb203f22010a9ed1277e0b7b37478ea34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit