9f71f0c21498c7e2957e8ba80bddee5ac53c33e45fa2fb6d93c661955c3a318c

Analysis

max time kernel
24s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29/06/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCVR-Rookie.exe
Size

920KB
MD5

7e660168665d26cd71ed031bbe6d76b7
SHA1

ea90944f7f589f92d0322c4e3eb4943cf449fe5f
SHA256

9f71f0c21498c7e2957e8ba80bddee5ac53c33e45fa2fb6d93c661955c3a318c
SHA512

795a14806a57f82efdd6c6928fe54bacbad7d128b14aa931979f0bb1b3dddc95e15eb8dbf5fa05031431337bccfd4f70851703622c2f7aaddaab838afeecad78
SSDEEP

6144:n4lCyKgGScEOX+NuM3uBJgUpL8SNFDu/O63hGSb/DB5pr0+UTsWkef1XwxQ1GA/L:nrEJuHp5bu9TlLfUTdwq1hyiDyTO

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
2040	7z.exe
4328	rclone.exe
4080	rclone.exe
1584	rclone.exe
2876	rclone.exe
2176	rclone.exe
388	rclone.exe
1984	rclone.exe
4244	rclone.exe
2820	rclone.exe
2844	rclone.exe
4968	rclone.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Modifies system certificate store 2 TTPs 7 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9	PCVR-Rookie.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9\Blob = 030000000100000014000000ca7788c32da1e4b7863a4fb57d00b55ddacbc7f91400000001000000140000003ae10986d4cf19c29676744976dce035c663639a04000000010000001000000042f8529fe545103fdd848980a8647f290f0000000100000030000000ed080184c5a30d366162d70be6fbb98ed70ace8650c3b7bccc7687cddaffb50f7d12eea1a961cc6f7fd0da9b3422f9fa19000000010000001000000076935b5c5a037216daaf8aac76df42c15c0000000100000004000000800100001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000d7030000308203d3308202bba003020102021056671d04ea4f994c6f10814759d27594300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f726974793076301006072a8648ce3d020106052b81040022036200041aac545aa9f96823e77ad5246f53c65ad84babc6d5b6d1e67371aedd9cd60c61fddba08903b80514ec57ceee5d3fe221b3cef7d48a79e0a3837e2d97d061c4f199dc259163ab7f30a3b470e2c7a1339cf3bf2e5c53b15fb37d327f8a34e37979a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604143ae10986d4cf19c29676744976dce035c663639a300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010019eceb9d892c200b04801d18de429972991632bd0e9c755b2c15e229406deeff72dbdbab901f8c95f28a3d087242895007e239156c0187d9161af5c0752bc5e6561107dfd898bc7c9f1939df8bca006473bc46109b93238dbe16c32e08829c863374763b284c8d034285b3e2b22342d51f7a756a1ad17caa6721c4333a396d53c9a2ed6222a8bbe2556c996c436b9197d10c0b93021dd2bc697749e61b4df7bf147803b0a6ba0bb4e1857f2fdc423bad740148ded66ce11998095e0ab36747fe1ce0d5c128ef4a8b44312604378d8974362eefa5220f83744992c7f710c20c29fbb7bdba7fe35fd59ff2a9f474d5b8e1b3b081e4e1a563a3ccea0478906ebff7	PCVR-Rookie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	PCVR-Rookie.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PCVR-Rookie.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PCVR-Rookie.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\SystemCertificates\CA\Certificates\7F95276D4951499FD756DF344AA24FB38CEAF678	PCVR-Rookie.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\SystemCertificates\CA\Certificates\7F95276D4951499FD756DF344AA24FB38CEAF678\Blob = 0300000001000000140000007f95276d4951499fd756df344aa24fb38ceaf6781400000001000000140000000f6be64bce3947aef67e901e79f0309192c85fa3040000000100000010000000ee39380f325cf0c51f4c6f7be0a4c8990f000000010000003000000011634607adf75b5e2bb0c3f38525f19b8cb00415cf48940a83e1da5b90dbf3d251de3a2659675838654f1705ba8fe7411900000001000000100000007818fd06fa225d60f1172f1ef2efcebf5c00000001000000040000008001000018000000010000001000000076935b5c5a037216daaf8aac76df42c1200000000100000089030000308203853082030ca003020102021023b76de3c1bb2b1a51961e08eab764e8300a06082a8648ce3d040303308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f72697479301e170d3230303133303030303030305a170d3330303132393233353935395a304b310b30090603550406130241543110300e060355040a13075a65726f53534c312a3028060355040313215a65726f53534c2045434320446f6d61696e2053656375726520536974652043413076301006072a8648ce3d020106052b8104002203620004364161172b5325edaaca94e4d6da4857ef50ba846482d7bb051bd61f0624f6a5339d8ce7f10b5568638230105f8d65ecaaa8af97cab586ce30018974dee34e5e016eee267bcc53fa23a4f7441d3e4d1e5f66a6ad85f6f2e3bc8e099880248e20a382017530820171301f0603551d230418301680143ae10986d4cf19c29676744976dce035c663639a301d0603551d0e041604140f6be64bce3947aef67e901e79f0309192c85fa3300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102024e3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737445434343657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374454343416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300a06082a8648ce3d040303036700306402302470540f01c940ddc854d96d54cac808ca984374d83ff4d7a95f6df261b9700a261b6330a88b319cbf77ec67b07fa588023025adaba4b0ee8d52e0dd0d7c9ddf7d1daee25c649c74f87e63e5c14e601686b0a75e196eec08c691d8fb0314a1a595ab	PCVR-Rookie.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4328	rclone.exe
4328	rclone.exe
4328	rclone.exe
4328	rclone.exe
4080	rclone.exe
4080	rclone.exe
4080	rclone.exe
4080	rclone.exe
2728	PCVR-Rookie.exe
2728	PCVR-Rookie.exe
1584	rclone.exe
1584	rclone.exe
1584	rclone.exe
1584	rclone.exe
2876	rclone.exe
2876	rclone.exe
2876	rclone.exe
2876	rclone.exe
2176	rclone.exe
2176	rclone.exe
2176	rclone.exe
2176	rclone.exe
388	rclone.exe
388	rclone.exe
388	rclone.exe
388	rclone.exe
1984	rclone.exe
1984	rclone.exe
1984	rclone.exe
1984	rclone.exe
4244	rclone.exe
4244	rclone.exe
4244	rclone.exe
4244	rclone.exe
2820	rclone.exe
2820	rclone.exe
2820	rclone.exe
2820	rclone.exe
2844	rclone.exe
2844	rclone.exe
2844	rclone.exe
2844	rclone.exe
4968	rclone.exe
4968	rclone.exe
4968	rclone.exe
4968	rclone.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	PCVR-Rookie.exe
Token: SeRestorePrivilege	2040	7z.exe
Token: 35	2040	7z.exe
Token: SeSecurityPrivilege	2040	7z.exe
Token: SeSecurityPrivilege	2040	7z.exe
Token: SeDebugPrivilege	4328	rclone.exe
Token: SeDebugPrivilege	4080	rclone.exe
Token: SeDebugPrivilege	1584	rclone.exe
Token: SeDebugPrivilege	2876	rclone.exe
Token: SeDebugPrivilege	2176	rclone.exe
Token: SeDebugPrivilege	388	rclone.exe
Token: SeDebugPrivilege	1984	rclone.exe
Token: SeDebugPrivilege	4244	rclone.exe
Token: SeDebugPrivilege	2820	rclone.exe
Token: SeDebugPrivilege	2844	rclone.exe
Token: SeDebugPrivilege	4968	rclone.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2040	2728	PCVR-Rookie.exe	82
PID 2728 wrote to memory of 2040	2728	PCVR-Rookie.exe	82
PID 2728 wrote to memory of 4328	2728	PCVR-Rookie.exe	84
PID 2728 wrote to memory of 4328	2728	PCVR-Rookie.exe	84
PID 2728 wrote to memory of 4080	2728	PCVR-Rookie.exe	86
PID 2728 wrote to memory of 4080	2728	PCVR-Rookie.exe	86
PID 2728 wrote to memory of 1584	2728	PCVR-Rookie.exe	88
PID 2728 wrote to memory of 1584	2728	PCVR-Rookie.exe	88
PID 2728 wrote to memory of 2876	2728	PCVR-Rookie.exe	90
PID 2728 wrote to memory of 2876	2728	PCVR-Rookie.exe	90
PID 2728 wrote to memory of 2176	2728	PCVR-Rookie.exe	92
PID 2728 wrote to memory of 2176	2728	PCVR-Rookie.exe	92
PID 2728 wrote to memory of 388	2728	PCVR-Rookie.exe	94
PID 2728 wrote to memory of 388	2728	PCVR-Rookie.exe	94
PID 2728 wrote to memory of 1984	2728	PCVR-Rookie.exe	96
PID 2728 wrote to memory of 1984	2728	PCVR-Rookie.exe	96
PID 2728 wrote to memory of 4244	2728	PCVR-Rookie.exe	98
PID 2728 wrote to memory of 4244	2728	PCVR-Rookie.exe	98
PID 2728 wrote to memory of 2820	2728	PCVR-Rookie.exe	100
PID 2728 wrote to memory of 2820	2728	PCVR-Rookie.exe	100
PID 2728 wrote to memory of 2844	2728	PCVR-Rookie.exe	102
PID 2728 wrote to memory of 2844	2728	PCVR-Rookie.exe	102
PID 2728 wrote to memory of 4968	2728	PCVR-Rookie.exe	104
PID 2728 wrote to memory of 4968	2728	PCVR-Rookie.exe	104

C:\Users\Admin\AppData\Local\Temp\PCVR-Rookie.exe
"C:\Users\Admin\AppData\Local\Temp\PCVR-Rookie.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\rclone.zip" -y -o"C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" listremotes --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" cat ":PCVR Games/VRP-GameList.txt" --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Rookie.WTF\PCVR-Rookie.exe_Url_xvschwsgakn2nagjsqlofr5vkuygxcxa\2.0.0.0\user.config

Filesize
1KB

MD5
18539f4e71b56fa588b9fc499e40bd8d

SHA1
31cd0e9ea7855ee5c5c94784eaa71b73f2f381ad

SHA256
d227df912be561c21e72ef6743f13eb31b1c6a16c72435c9ad25711c2fa311dc

SHA512
2882849a8d5e287ac9bdf6b95656b5a25037a050a84e8bf4e7bbef53c8b00473973e8f3a320f7164e7b605496e33f64c537ba8bc0882917f486f1d8d61918490

Download Submit
C:\Users\Admin\AppData\Local\Rookie.WTF\PCVR-Rookie.exe_Url_xvschwsgakn2nagjsqlofr5vkuygxcxa\2.0.0.0\user.config

Filesize
1KB

MD5
1ee5e88f8049c2d9e69bac871c4d3c5c

SHA1
531c8334b05c1ea0eb182721e7002bb5dfd783f3

SHA256
fbeaafa7d44af56009f6e4a5049d8814d9ae00af55e563ce4d1077af0a0477dd

SHA512
40e87b58742bbeb2fd4e684857b2e03f1690726bafcb764a897d440b638f9b48075549300826393a7e7c66e1b993f1b52d7ae9ed213918dea36491ff318a1b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
1.2MB

MD5
1a7eaa1dab7867e15d7800ae0b5af5e3

SHA1
9e6d344bd8724aa1862f4254d8c42b7cc929a797

SHA256
356bea8b6e9eb84dfa0dd8674e7c03428c641a47789df605c5bea0730de4aed2

SHA512
a12373ec7ec4bac3421363f70cc593f4334b4bb5a5c917e050a45090220fab002c36ba8b03be81159fd70955b4680146c9469e44ddf75a901465d6b1231ee6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rclone.zip

Filesize
20.1MB

MD5
10babe225d85f3da58ee8cc260b63793

SHA1
900da981ad757c5b8696b71475341c9228e84be9

SHA256
8e8bb13fb0d7beb316487ecde8ead5426784cdcdbf8b4d8dd381c6fe8c7d92a0

SHA512
d771c4631b607fc447be37d2ee266859dec4e09aa5544559edff2dea6d277ac9a28792ef1d12875c51b48773e155a983633b9f7ad59e14a36fb36de4d7fe9246

Download Submit
memory/2728-4-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/2728-5-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2728-6-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2728-7-0x0000000006930000-0x00000000069E0000-memory.dmp

Filesize
704KB

Download
memory/2728-0-0x000000007513E000-0x000000007513F000-memory.dmp

Filesize
4KB

Download
memory/2728-3-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/2728-2-0x0000000005B60000-0x0000000006106000-memory.dmp

Filesize
5.6MB

Download
memory/2728-1-0x0000000000A10000-0x0000000000AFC000-memory.dmp

Filesize
944KB

Download
memory/2728-50-0x000000007513E000-0x000000007513F000-memory.dmp

Filesize
4KB

Download
memory/2728-51-0x0000000013BD0000-0x0000000013C36000-memory.dmp

Filesize
408KB

Download
memory/2728-54-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2728-63-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download