hxxp://htpcrf[.]xyz

Analysis

max time kernel
149s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/04/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://htpcrf.xyz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579866208728397"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe
4324	chrome.exe
4324	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 3964	1424	chrome.exe	74
PID 1424 wrote to memory of 3964	1424	chrome.exe	74
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 812	1424	chrome.exe	76
PID 1424 wrote to memory of 3860	1424	chrome.exe	77
PID 1424 wrote to memory of 3860	1424	chrome.exe	77
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78
PID 1424 wrote to memory of 988	1424	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://htpcrf.xyz
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8d8869758,0x7ff8d8869768,0x7ff8d8869778
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:2
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1764 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1992 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:8
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2672 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2684 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:1
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4276 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4164 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4768 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4760 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:1
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 --field-trial-handle=1832,i,2401648683137786715,16281265655592594540,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
73e315f235763b8b162a6cc5f8f01ca8

SHA1
b3a49859b6de9fac4c4eccec159dada2c0b3ed51

SHA256
302af1e78f708dea49526be4ee363b75778f366196f2459090d80d650053775a

SHA512
a584663cf5b94910fd0ec5b53e0e8ff5832a8910e4e9e2d9a95018d8512d5b40c5e79e01daeac53eb88f9118eb671f67b4bcd1f2d0eecfde986677785a050b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
39fa5e46bd18cb9ff6436f09536e519a

SHA1
e12287d6fadbb05f48d6043489863a6f26e08710

SHA256
9a291ea13388eb8574bcaff1443ed3df7a8e35e60cee3b6647b4a6d5496ea795

SHA512
a9668127a916b52aa419ffff1d1d1fbafc856ca580bdaa7c10df7ab5d05cf30ea505cce528ebc287bee9b225e7bbc2251fadafc7e680c6d8d3e25c7ed4af550d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
87f6ac61476b39738d51cb402395964d

SHA1
1eb12e1310e6926f77e9706ad26ee8086bc14511

SHA256
6acf1586572ad113666f5b3bbef4eed8060f4fe01ce06500f2c773215cfac13b

SHA512
fe2bc7b673024fc60a3ef45da82102c049d758c178f7f8332b727ad43b13b6f94ea6cbdcf2b00c90ecec5063df55489422a7874475b4f01183d684ee944e27c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
2920f1dde0b1019c2821a16878510910

SHA1
97b3aca3c06e8c166218aa7a4e0e018ea0d4248b

SHA256
35af80c5febd2f139a3d650a225884530f4cf851cc7f1a55ede75694240d6005

SHA512
416f9fba99409d2181cb4a91e31fde0049f74eca7b23e0a64490248bb1b8e269c2463eed2a333a857ef8ba165a754118908198ab7fb1ed08d1f49af675dd8074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit