hxxp://imgs1cdn[.]adultempire[.]com

Analysis

max time kernel
46s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://imgs1cdn.adultempire.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133239474397419147"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2264	chrome.exe
2264	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2264	chrome.exe
2264	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe
Token: SeShutdownPrivilege	2264	chrome.exe
Token: SeCreatePagefilePrivilege	2264	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4376	2264	chrome.exe	85
PID 2264 wrote to memory of 4376	2264	chrome.exe	85
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 1504	2264	chrome.exe	86
PID 2264 wrote to memory of 264	2264	chrome.exe	87
PID 2264 wrote to memory of 264	2264	chrome.exe	87
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88
PID 2264 wrote to memory of 4596	2264	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://imgs1cdn.adultempire.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ab689758,0x7ff8ab689768,0x7ff8ab689778
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:8
  2⤵
  PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1840,i,2454852824373887543,13389931984895069228,131072 /prefetch:8
  2⤵
  PID:2912

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a9ad71a254ff2cd6a95c1bfa644fab58

SHA1
8d7e598140500d8425253192e24fc2b79cc94064

SHA256
b2253da1c4773e81d8165fcecc8a8dbe7082f4dc534c6ce66de8c97df7569a58

SHA512
ce04a4d3d93e6ec6a19eb1fec556826bed3c685dd9cc116115fc744bef6ca73196e42591785f8c217ff56639915855616075e6c8262ad550a4288a67ab046998

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
503554c3b5a587e2e516555cbc3f09c1

SHA1
e4c474d03d6d8a1314fdd1c5ad0c8155c8d6727f

SHA256
b80323e9a4fc3939cd43d1b64d4e65ad512fe2ceaab79fc2772a7e12a7487fae

SHA512
a9fd6ff87cc676f122f902563a45fbc0b3a71dd19bed3ad08e6d3a741b9454918a6d8ce65e7cd73863f827ef05818fc0b7cd09029650fe0c3e3d3c4e058f25a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
7a83cde6479b6e161ca19bb27e76fe99

SHA1
0ab043bc232b82499c9da153e111ebaade969cc2

SHA256
b0957087f9013a934c8062cf57da692796fc1763fe74a1992a596cc324b5c3e4

SHA512
9fab30efd4c73dc9f9c1bffce3bc0812c5766ade23d4734fdae74045cc5160b4cac044f6daa1a603d4c8fbbcbe9786859d5eda59691ded30edc0c87496f16e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
70372508009e62373b9ae7b350b795a0

SHA1
eefc822744ae72cebdf74903d49041861ec0564f

SHA256
96837760353ee49963a22ee06a52eb15e511eedf2d681b6551000f1c6170bfd6

SHA512
3c140052fd1500051439faa41c9ef953ee3a7f45130d7ee458dcfafa09808184410f055c2f2c95d4aab74c63a78ba08099ccc78e08a3ecc2f7742b18f5b9c9bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit