hxxp://google[.]com

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133514586031678805"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4952	chrome.exe
4952	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3084	4952	chrome.exe	84
PID 4952 wrote to memory of 3084	4952	chrome.exe	84
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 1700	4952	chrome.exe	86
PID 4952 wrote to memory of 2328	4952	chrome.exe	88
PID 4952 wrote to memory of 2328	4952	chrome.exe	88
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87
PID 4952 wrote to memory of 528	4952	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb15f99758,0x7ffb15f99768,0x7ffb15f99778
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:2
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 --field-trial-handle=1864,i,18413762521578826516,14421376678426728361,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3946c2ea-682a-4c0f-9c45-2e9f4750588d.tmp

Filesize
114KB

MD5
d54f996ea68519af0be7d2f1be8e030c

SHA1
155fce6bb5941ff65c101d918cf0cf6a8542aa03

SHA256
3f0a22ba6fa836a5fd73f2523a0e76a9fcb980e86568784cdacf3ccfbf66e4c5

SHA512
eb41412d82559bf672b531a1380e0a689bb8675410b6dee2ab0317907fe01e50c3fb95756d8b286ccaccc81abd8af441a93faf5747fe911bab2bd6ea40923523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
bb53dd1b8b15252d70d6f9515fe24009

SHA1
e8ef2a8690b879e9b7eb71986655cc4ec6e0cabb

SHA256
13f6edea6d5a600e58aff3be75465b808ba96cc979c2f4f4b3c1dca158e4f7ac

SHA512
72c07a3ff41a0fc7382262601aa0a96f6ac86ca52bb8e59c6e345199102994e7a237402a446b512ede64d0bd868784c722a7ea8981d83db5a941f79189fd4daa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ceb8d345630fe8d800af9a1f6a6223a6

SHA1
27e2a2809d149e2abfe540d7c20a14bde5a77590

SHA256
1a6840315f7cafb073c068578016f974b978dad4db223c9f78549062f20d7e96

SHA512
059c31aaa53540250417f03bbce9b817a0dce390dfe625df0a04d75c88aa198f56f070c6ff380dd5b9bf880903b9a35ac75dfad1e23f3e44bc399a6615bece9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
282173caec5214794e3a8404ac959307

SHA1
466f2e2a9bfd06251e746bf892465d1199f75c03

SHA256
115caac474d8aca766549f6e9b62dc767e517253b486f8081c62eae7f1ab1170

SHA512
ead1ce3303a3a8a0462c975649ed8e995cf10dda5734a3a8933cfa98c58bd0d026911e860187fce425a89884020bf4703ae1d972429ce7f592b0cd8946130f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ed587a1cd9361e9d8a637f98d8f65d44

SHA1
8751cce0e21e3fc7c91d517a711ee538242c0e0a

SHA256
1c023252e0fc3e7b90e4cb760b7a7ae1fc8cc5a4f8deefbd8b92139adeeb6ab3

SHA512
6eda204bb33e3cf6a832d88166a52dcc60d3288ae886e983ef050a64f132d61aefca554cec9f4bbc3bf3e7d644f5112436c10cd7ad0d0940aa71601cf6abdda1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
2813060e30a6a90d83f6517eface3b60

SHA1
d8d416c67b3aff56c34610dc4255db19cd313c2c

SHA256
8095485ae2c53de164419301518453c0ad295fee6174c3332194a6b4c8efccc2

SHA512
dae34989b7c638851a79a553c74f02f5e0488d93d0ad7ea74b99e77b10126ccc5c68643645aa10e3ba0f9f019d410d65de411097426b48c027a3842aa54260a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3984cd8781dd9bea861557ff5948f3bf

SHA1
8a299a43280908e7ef2b651bb4a5d4e53335d9bd

SHA256
1d772c63088f87f18d11d4e629df6b6641024c723d06df4f7decd72494c8c6d4

SHA512
9c246696732e188f53dcd6b9a1b67af534c40d2cf084b5836fd396373b64a6433cdc565f2dab27e5b5b1fc1aedd1df1e5bb4e238db6a25c190242b47296f632d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit