34a7d6799d67ce3bec0faade2612c8add1c75da0bf907d4e09096e0cff024b47

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

code.vbs
Size

1KB
MD5

3289420c58b0c8d9e45ab9ac9cc7e7e0
SHA1

88ca8c781641aa0741c45d5cb9d06ff633e41faa
SHA256

34a7d6799d67ce3bec0faade2612c8add1c75da0bf907d4e09096e0cff024b47
SHA512

722cd9b22c5fbd99f18ed870fcd380bed24398748a870221a298d7eb7c846afe7035b444958093b1bbd3fc93444dbe69de1ea5db6f91f8a0ea36d00f7ff5d406

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	208	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api64.ipify.org
4	api64.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4120	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612108998047854"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2620	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
5404	chrome.exe
5404	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2620	208	WScript.exe	86
PID 208 wrote to memory of 2620	208	WScript.exe	86
PID 208 wrote to memory of 4120	208	WScript.exe	95
PID 208 wrote to memory of 4120	208	WScript.exe	95
PID 208 wrote to memory of 4392	208	WScript.exe	97
PID 208 wrote to memory of 4392	208	WScript.exe	97
PID 4392 wrote to memory of 4192	4392	chrome.exe	98
PID 4392 wrote to memory of 4192	4392	chrome.exe	98
PID 208 wrote to memory of 996	208	WScript.exe	99
PID 208 wrote to memory of 996	208	WScript.exe	99
PID 996 wrote to memory of 2384	996	chrome.exe	100
PID 996 wrote to memory of 2384	996	chrome.exe	100
PID 208 wrote to memory of 1972	208	WScript.exe	101
PID 208 wrote to memory of 1972	208	WScript.exe	101
PID 1972 wrote to memory of 1632	1972	chrome.exe	102
PID 1972 wrote to memory of 1632	1972	chrome.exe	102
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 1404	4392	chrome.exe	103
PID 4392 wrote to memory of 456	4392	chrome.exe	104
PID 4392 wrote to memory of 456	4392	chrome.exe	104
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105
PID 4392 wrote to memory of 4548	4392	chrome.exe	105

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Roaming\note.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" www.google.com/search?q=what+is+the+problem+for+Admin%3F
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3e3ab58,0x7ffed3e3ab68,0x7ffed3e3ab78
    3⤵
    PID:4192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:2
    3⤵
    PID:1404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:8
    3⤵
    PID:456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:1152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3932 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:4504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3936 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4452 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:2544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4460 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4748 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3264 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:8
    3⤵
    PID:5968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:8
    3⤵
    PID:6012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:8
    3⤵
    PID:6116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5588 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:3976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5916 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:1
    3⤵
    PID:6036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6032 --field-trial-handle=1760,i,8996183647627230827,9705240816326400359,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" www.whatismyip.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed3e3ab58,0x7ffed3e3ab68,0x7ffed3e3ab78
    3⤵
    PID:2384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1700,i,1990157208437190679,13788530845956429364,131072 /prefetch:2
    3⤵
    PID:3608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1700,i,1990157208437190679,13788530845956429364,131072 /prefetch:8
    3⤵
    PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" www.whatismyip.com/search/?s=191.101.209.39"
  2⤵
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3e3ab58,0x7ffed3e3ab68,0x7ffed3e3ab78
    3⤵
    PID:1632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1936,i,954341688578590683,18354636208977591075,131072 /prefetch:2
    3⤵
    PID:2216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1936,i,954341688578590683,18354636208977591075,131072 /prefetch:8
    3⤵
    PID:1196

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
74KB

MD5
81f59c0b9e1efbff14d8229e2bfc7940

SHA1
263100c9e10746a2b93ddc11134053175b307e68

SHA256
dbdf636b91501693b41256a292a94fecd88233f7b7ce83f3c6ca512bc29f4047

SHA512
c67333b25474ff0d94c73fdefdc075ac8f1936c2a3c735f789263068d614f9e857907a8ecab6d8e0bf6e9c78932055c03f829e71c0907531d37e38f80bedbeaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
64KB

MD5
d84862513956cbe61aeb4ebbfdd3355a

SHA1
14ab269df17cb0333b1556ce120d587324479f6b

SHA256
a18b26912ab9e034923cc64fbfdb59d682500f2c556456930e480b6bd69e33b5

SHA512
d04ca96d72595f1e291a6ce96f092c1707064800103cde733512a186c1b22e089b63690a0c53965c97248dd782731b22fa2d27b8ee3ae112647382f1c06d1a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4edc7bcc02193574_0

Filesize
33KB

MD5
29d7e1bb6d511730a79c5a603bd160ac

SHA1
8f5b7d26fe260148413b3cacbfab2ffe17cd6d90

SHA256
59eb87ce281fd4c5c191a2d96c019de4e98a9d2895fc5d98413c6beeb06b76d2

SHA512
27472eedf960a6611f619e5e77332f890e6381dde2d3dca2139bff458135580b497924d5c369b8b899dc9761b2d80eb1f2fc3ceaf56d553ac34ca12de542a0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\8fb76628fc73b93b_0

Filesize
291B

MD5
67ef35026dc709fce8a972adafea8845

SHA1
59aad753eda812e1da46b40bd828ca738e94ec92

SHA256
dc05a470646b5d2231c3b18a225d4da31cdbd0e0c2e0c07c3078343473344cdf

SHA512
e3060ac5f78bbec49101914db81aa3435cb7b172033701020ccd477ae5b13cd45df53d95636ea04785c834be0ebdffb31db7b2f9d36109f13ff84ed1ddbba0f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
e9acb0d1678cd08b9c75fec7e553d8c2

SHA1
d282caf8bc4a632d72fa9012a524fad4e7feb771

SHA256
002010d490423b447628d9482f7fe8da7dfc06429a87d49a9c91a44230f8fba6

SHA512
6c7d6555076eee534f308be9c1908e22eb671bbf564bd0dc505c55e6f9cf6b7c23c96e1b27d7c8cfaf0e7b97b185c2bee5739f56bfae6c246e8dfeda65a9cd40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6b0a170c08f06887af42531a5a493b73

SHA1
11c548205fc3ca6fed0c1cb582143ed1bd105726

SHA256
2f2d72088602145622b519b8f40e264c16470b6526e4ef96daa1f3ffad9b44ef

SHA512
48c93c4ef5caa66109efd0df66163cc4b33fdc316e03915a4a5e9e9aefaa509dee2268d6061107ccfe4168b9f5a872c3f2abcc863cb89cfc81998fbeb081b3c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0c2e743654e111a2a4a54883046a1ad8

SHA1
870ee011bc8d7800d17354cd81a4a03a0e18d88a

SHA256
2152bb663448239a7cc1d605910e1f81d4e3c4ea530a0d87ef3f7926880ff1af

SHA512
39da774b87b98e1c412101b98c6c302840e0bd45e2247a873b00fd123a8931b34bacf87d1e23caf2360729ddd4201a0b681e3cad8d6a9adf0efac9bac390734a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b0248c02377d70affbff976e98e2a90e

SHA1
4aa712abc16d7d0a1a1d3e6bec36bc8d87c6f7a8

SHA256
7640de403ee6ae21580b8e29afdbc4cc189ab3dfb69455d3149f152dfb9e8a0f

SHA512
3f140c20a4991bbc6a28727ea9ecb244468b6cc9efcc4a7da0fbdf31148f1e768eb849156eb90e7f5e64897b5e548322a32d1ae124e3ea95e4256bff9474c4c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
80587818fa1d3624f0a7d435505a31f6

SHA1
2e3019346152e8d71a4fbb2b2f77725a2e520b33

SHA256
bb05f6d5f9b70a76f84d5dc3d14dbdef105fee8c4a7ca0120a3ad2c74a2bc438

SHA512
d32a3d0809e8cc748416caa262eae1ad14d21062fb74c71dcf9a6a22e330b7611d0d07214808d6b96fdbbb905b41f34c37ddfbf961d1755581e9a19df7869951

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
dde11eb12870abe3a415e3bb9b224211

SHA1
9877e55a954dd0cab73448eb7cbc448e0ee32234

SHA256
2cfe5880a73a0c0273386cd4f9eea48c6a15274963573136d71e709e2332be72

SHA512
0019f2c624148e5dc1571e57fee86e683af938df5b3f41e4ee72de0ff4e6acfd0f12760194c87a2adb10f810891de9f232514d91bd63f3f41e72936c80d4f36a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
1230cdace4c58358b50c30c4185bdbf4

SHA1
a415876e93ae0f0e2ed3b1acec1a45f819272bd3

SHA256
5addcb18806c44524a1285abecc101a0420ef6b6c5198a33ec813bc1e21ecac6

SHA512
a8d1bb4767775cd874a46a1e36994544303c8b2344032c370a5ef0e55aca373a68aad35c1bcff7be5d2f975a9e6ed8f8f1983c471171c675430dd4f99394135d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
7e23e3096af5e1246ad6b01faf9e1d8b

SHA1
e107f86d16f198397597d820e39c9290cf13fdaf

SHA256
ffd25e531322f62868401274321e855e71945d553d45ce54b8398246febe8391

SHA512
c26a8e407e4e3fbe8d4ab5e42e5ce741399ddb1a427b0e83a68bc6e33d29729d329b31a6f9942c1601f3d9eec70d4fd360dc443c5f853213f1066b1f699442fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
265db1c9337422f9af69ef2b4e1c7205

SHA1
3e38976bb5cf035c75c9bc185f72a80e70f41c2e

SHA256
7ca5a3ccc077698ca62ac8157676814b3d8e93586364d0318987e37b4f8590bc

SHA512
3cc9b76d8d4b6edb4c41677be3483ac37785f3bbfea4489f3855433ebf84ea25fc48efee9b74cab268dc9cb7fb4789a81c94e75c7bf723721de28aef53d8b529

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Roaming\note.txt

Filesize
105B

MD5
7974a453105fb964df9cbdf56bd8f998

SHA1
f99e67104498c6a19323cdb636f3edfee2f89119

SHA256
03eae3a1fc877ce36665bcf5c4f6b2614059447b454132083e3ed1eb439e00f0

SHA512
243e57c7f65de4f0ad505062bb80f06b2342d515b0f55bed8978f51367e517c42d60df5d85d83fa5f9ec17f076d2ea40fe4eefed7fadc2e72f88fad57c63d107

Download Submit