hxxp://adfoc[.]us/469249103331281

Analysis

max time kernel
64s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://adfoc.us/469249103331281

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586539990683702"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeCreatePagefilePrivilege	3036	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 32	3036	chrome.exe	84
PID 3036 wrote to memory of 32	3036	chrome.exe	84
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 5076	3036	chrome.exe	85
PID 3036 wrote to memory of 4000	3036	chrome.exe	86
PID 3036 wrote to memory of 4000	3036	chrome.exe	86
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87
PID 3036 wrote to memory of 4232	3036	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://adfoc.us/469249103331281
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xd4,0xfc,0x100,0xe0,0x104,0x7ffa98e4cc40,0x7ffa98e4cc4c,0x7ffa98e4cc58
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3040,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5000,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3524,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4988,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4896,i,1697148625713259181,13753459215841693286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2024

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\108880e9-bc64-45ab-b343-17fa30787e55.tmp

Filesize
9KB

MD5
07e8e44aaae9e64e5e0d290f380532c3

SHA1
b941a857252b50c132ab5fbfcd1cb503364e708a

SHA256
4047fdc6d9c237367a1ea3fcb3f15863a94a0e4eeb542701152fb8c92cb91878

SHA512
f81acf21a04589e60f1d79ac9f52b9e2b26c1e37ea58cff23a1c3ea69d7a39b0790b8d89301517cb83b5102b9333f429130d919a7c3ba3f03e2845c178006b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
67470e21169275db6d513e65b9b16fd3

SHA1
364017472881871f51e0f19e3211514310bd32ec

SHA256
afed5370f15d6e297e2bcf8e683974ab59867a53328c3f24641d37ac0bc8ff1d

SHA512
c648c25f1c4ad415b3a3612b6519499d03f1e92717f4ac454763daf794487de39b8691ad00902ca788536b4ff774e4c5c0c4f7b5c54e00758ccf513251b09ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09600d9e0bc70adbb3b3819c9e33a416

SHA1
337e22f00a3a0b6d712f0e3b83338c164caf4abb

SHA256
5e577566cefc42043b45ef80de8f091eb8b9cc13400540ae299b12f797339fd2

SHA512
cc706759ea55a396253fbb2d75eedb8edfe6c3f410a402f1d06b952eb7d6bada9b00604bdd8ecb3192f5e858c8d987f8d266d355e98882a5df412ed6a58b4936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47b2c6857a2c77a0da745fedb2fe0a26

SHA1
1159532a34e33db9382518f7949109abd5f05e8a

SHA256
12fd0a1ff7a4a85e3b23169f1e975ef61d7cc8c3e2470aebb8a7cc36a827f585

SHA512
fa8ae639f6949fb313bd9fe7ccf51d9c3c819c042a98bed7742809dcd02ccc7178f200769452753c2ce52843658d72672167cfa0ac7f9ad3a395c3c858e203e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d7edecb57b4afd2ee3e25a71a34e048

SHA1
9020c22276a32eed8ff3171adface9c9cbd35a06

SHA256
ad117f9c026a2d4209fbbd881a8e65f0070c7aa849e46bf791031a90ac8d6526

SHA512
7053bfb1ec1d5152a1b805ff263832ff7b29318dc1fdc75d95313c30c9d2738b2f2d69a59bfded7cd9117b89ebbf392f29175213666313f0d4f661f9dff60766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
1d11a0cdabaa5a77acebbc00d80ee157

SHA1
c9aa4a3883bad2416b4257d595b8a7f46ac8b851

SHA256
299a77e07c83db0c29cb906555c5d87371031566aaeea91899968e213e4627af

SHA512
2c305a3e1beb68b0776d66af0c212e58babaad31dd809cd5535cc3f4c0682506c17317954673bab12f747b9b66acb4e78f9b21662e55268d9f33fb97446651bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
9fdc550ad4b035a3b970845f3e4afd65

SHA1
9bd875a9431b9ff5d13bd0b438c91e0afb7c4524

SHA256
45b645376c7d58eb06bb271084943f6ae3a92b2d8ebabceb5072ec7a81fd47d4

SHA512
a379d0c1425a5bc6388ae6ff8763fc510d58ef35c591102140ba6c310bf11e409a8e4ade268a6c2b7a08e448cd8e7cf5aa5946d860c9b29c6f2c81aeb7054bbc

Download Submit