Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-02-2021 18:00
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2.exe
Resource
win10v20201028
General
-
Target
2.exe
-
Size
2.5MB
-
MD5
e63e41e15e86489a98dbeb2e6cb44e8a
-
SHA1
5815d349a375f5cdf090ababcff86b3946ed6c07
-
SHA256
0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da
-
SHA512
749d9580ac631916fbc1db207f0f48ed2ff9979f0cd8e352633cd86edfe7bd5bbb6da90b014e0b8ad639f8b9e567498f07353ef907ce2bd6dfa5536d3079991e
Malware Config
Extracted
C:\Users\Admin\Desktop\Recovery_Instructions.txt
felleskatalogen@protonmail.com
Extracted
C:\Recovery_Instructions.txt
felleskatalogen@protonmail.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1664 bcdedit.exe 1180 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 848 wbadmin.exe 632 wbadmin.exe -
Drops file in Drivers directory 12 IoCs
Processes:
2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\networks.ReadInstructions 2.exe File opened for modification C:\Windows\System32\drivers\etc\protocol 2.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess 2.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.ReadInstructions 2.exe File opened for modification C:\Windows\System32\drivers\etc\services.ReadInstructions 2.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 2.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess 2.exe File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess 2.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess 2.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.ReadInstructions 2.exe File opened for modification C:\Windows\System32\drivers\etc\networks 2.exe File opened for modification C:\Windows\System32\drivers\etc\services 2.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UpdateGrant.crw.ReadInstructions 2.exe File renamed C:\Users\Admin\Pictures\MergeFormat.raw => C:\Users\Admin\Pictures\MergeFormat.raw.inprocess 2.exe File opened for modification C:\Users\Admin\Pictures\MergeFormat.raw.inprocess 2.exe File renamed C:\Users\Admin\Pictures\MergeFormat.raw.inprocess => C:\Users\Admin\Pictures\MergeFormat.raw.ReadInstructions 2.exe File opened for modification C:\Users\Admin\Pictures\MergeFormat.raw.ReadInstructions 2.exe File renamed C:\Users\Admin\Pictures\UpdateGrant.crw => C:\Users\Admin\Pictures\UpdateGrant.crw.inprocess 2.exe File opened for modification C:\Users\Admin\Pictures\UpdateGrant.crw.inprocess 2.exe File renamed C:\Users\Admin\Pictures\UpdateGrant.crw.inprocess => C:\Users\Admin\Pictures\UpdateGrant.crw.ReadInstructions 2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 848 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1904-2-0x000000013FD30000-0x0000000140571000-memory.dmp themida behavioral1/memory/1904-3-0x000000013FD30000-0x0000000140571000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run 2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2.exe\" e" 2.exe -
Processes:
2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
2.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini 2.exe -
Enumerates connected drives 3 TTPs 41 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\R: 2.exe File opened (read-only) \??\U: 2.exe File opened (read-only) \??\D: 2.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\B: 2.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: 2.exe File opened (read-only) \??\H: 2.exe File opened (read-only) \??\M: 2.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Y: 2.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\J: 2.exe File opened (read-only) \??\N: 2.exe File opened (read-only) \??\P: 2.exe File opened (read-only) \??\Q: 2.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\X: 2.exe File opened (read-only) \??\Z: 2.exe File opened (read-only) \??\I: 2.exe File opened (read-only) \??\T: 2.exe File opened (read-only) \??\E: 2.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: 2.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\L: 2.exe File opened (read-only) \??\K: 2.exe File opened (read-only) \??\O: 2.exe File opened (read-only) \??\S: 2.exe File opened (read-only) \??\V: 2.exe File opened (read-only) \??\W: 2.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\A: 2.exe -
Drops file in System32 directory 64 IoCs
Processes:
2.exedescription ioc process File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\41ace1b7-f27e-4c89-a6a3-a659a5dbef65.inprocess 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f432ef04-0dcb-4ffd-963b-c2f8117e80e7.inprocess 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\DEFAULT 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73343e4f-75e6-4fe3-8678-f5d69c9ef61b 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 2.exe File opened for modification C:\Windows\System32\config\SOFTWARE 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess 2.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 2.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess 2.exe File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\41ace1b7-f27e-4c89-a6a3-a659a5dbef65 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73343e4f-75e6-4fe3-8678-f5d69c9ef61b.inprocess 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess 2.exe File opened for modification C:\Windows\System32\config\BCD-Template.inprocess 2.exe File opened for modification C:\Windows\System32\config\SAM 2.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.ReadInstructions 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 2.exe File opened for modification C:\Windows\System32\config\BCD-Template 2.exe File opened for modification C:\Windows\System32\config\RegBack\SAM 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.ReadInstructions 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\BCD-Template.ReadInstructions 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.ReadInstructions 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f432ef04-0dcb-4ffd-963b-c2f8117e80e7 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\COMPONENTS 2.exe File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.ReadInstructions 2.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 2.exe File opened for modification C:\Windows\System32\config\SYSTEM 2.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess 2.exe File opened for modification C:\Windows\System32\config\RegBack\SOFTWARE 2.exe File opened for modification C:\Windows\System32\config\RegBack\SYSTEM 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\41ace1b7-f27e-4c89-a6a3-a659a5dbef65.ReadInstructions 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f432ef04-0dcb-4ffd-963b-c2f8117e80e7.ReadInstructions 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 2.exe File opened for modification C:\Windows\System32\config\RegBack\SECURITY 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c 2.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73343e4f-75e6-4fe3-8678-f5d69c9ef61b.ReadInstructions 2.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred 2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess 2.exe File opened for modification C:\Windows\System32\config\COMPONENTS.ReadInstructions 2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2.exepid process 1904 2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Martinique.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sitka 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santiago.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Moncton 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Monterrey.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montreal.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Resolute.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\meta-index.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Chicago 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EST.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Yakutat 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Halifax.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Maceio.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UCT.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santarem 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belize.inprocess 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.ReadInstructions 2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.inprocess 2.exe -
Drops file in Windows directory 57 IoCs
Processes:
2.exewbadmin.exewbadmin.exedescription ioc process File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_0 2.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb2 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th0 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_2 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.ReadInstructions 2.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.ReadInstructions 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th0 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_1 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\dewindow 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state 2.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th1 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_2 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb1 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.ReadInstructions 2.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\Panther\setupinfo.inprocess 2.exe File opened for modification C:\Windows\Panther\setupinfo.ReadInstructions 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th2 2.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.ReadInstructions 2.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.inprocess 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.ReadInstructions 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb0 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_1 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.ReadInstructions 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb2 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.inprocess 2.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.ReadInstructions 2.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th2 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess 2.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.inprocess 2.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state 2.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb1 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\enwindow 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state 2.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th1 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.inprocess 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state 2.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.inprocess 2.exe File opened for modification C:\Windows\Panther\setupinfo 2.exe File opened for modification C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_0 2.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.ReadInstructions 2.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb0 2.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_3 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 472 vssadmin.exe 1424 vssadmin.exe 1652 vssadmin.exe 884 vssadmin.exe 1080 vssadmin.exe 1824 vssadmin.exe 340 vssadmin.exe 616 vssadmin.exe 756 vssadmin.exe 1652 vssadmin.exe 1488 vssadmin.exe 1100 vssadmin.exe 1984 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 3 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 1212 NOTEPAD.EXE 1020 NOTEPAD.EXE 760 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2.exepid process 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe 1904 2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1776 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
vssvc.exewmic.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 1960 vssvc.exe Token: SeRestorePrivilege 1960 vssvc.exe Token: SeAuditPrivilege 1960 vssvc.exe Token: SeIncreaseQuotaPrivilege 1680 wmic.exe Token: SeSecurityPrivilege 1680 wmic.exe Token: SeTakeOwnershipPrivilege 1680 wmic.exe Token: SeLoadDriverPrivilege 1680 wmic.exe Token: SeSystemProfilePrivilege 1680 wmic.exe Token: SeSystemtimePrivilege 1680 wmic.exe Token: SeProfSingleProcessPrivilege 1680 wmic.exe Token: SeIncBasePriorityPrivilege 1680 wmic.exe Token: SeCreatePagefilePrivilege 1680 wmic.exe Token: SeBackupPrivilege 1680 wmic.exe Token: SeRestorePrivilege 1680 wmic.exe Token: SeShutdownPrivilege 1680 wmic.exe Token: SeDebugPrivilege 1680 wmic.exe Token: SeSystemEnvironmentPrivilege 1680 wmic.exe Token: SeRemoteShutdownPrivilege 1680 wmic.exe Token: SeUndockPrivilege 1680 wmic.exe Token: SeManageVolumePrivilege 1680 wmic.exe Token: 33 1680 wmic.exe Token: 34 1680 wmic.exe Token: 35 1680 wmic.exe Token: 33 1672 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1672 AUDIODG.EXE Token: 33 1672 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1672 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
NOTEPAD.EXEchrome.exepid process 1212 NOTEPAD.EXE 300 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2.exerundll32.exechrome.exedescription pid process target process PID 1904 wrote to memory of 1424 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1424 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1424 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1652 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1652 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1652 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 884 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 884 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 884 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1080 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1080 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1080 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1824 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1824 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1824 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 340 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 340 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 340 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 616 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 616 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 616 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 472 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 472 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 472 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1488 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1488 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1488 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 756 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 756 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 756 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1100 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1100 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1100 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1984 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1984 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1984 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1652 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1652 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1652 1904 2.exe vssadmin.exe PID 1904 wrote to memory of 1664 1904 2.exe bcdedit.exe PID 1904 wrote to memory of 1664 1904 2.exe bcdedit.exe PID 1904 wrote to memory of 1664 1904 2.exe bcdedit.exe PID 1904 wrote to memory of 1180 1904 2.exe bcdedit.exe PID 1904 wrote to memory of 1180 1904 2.exe bcdedit.exe PID 1904 wrote to memory of 1180 1904 2.exe bcdedit.exe PID 1904 wrote to memory of 848 1904 2.exe wbadmin.exe PID 1904 wrote to memory of 848 1904 2.exe wbadmin.exe PID 1904 wrote to memory of 848 1904 2.exe wbadmin.exe PID 1904 wrote to memory of 632 1904 2.exe wbadmin.exe PID 1904 wrote to memory of 632 1904 2.exe wbadmin.exe PID 1904 wrote to memory of 632 1904 2.exe wbadmin.exe PID 1904 wrote to memory of 1680 1904 2.exe wmic.exe PID 1904 wrote to memory of 1680 1904 2.exe wmic.exe PID 1904 wrote to memory of 1680 1904 2.exe wmic.exe PID 1904 wrote to memory of 848 1904 2.exe cmd.exe PID 1904 wrote to memory of 848 1904 2.exe cmd.exe PID 1904 wrote to memory of 848 1904 2.exe cmd.exe PID 1776 wrote to memory of 760 1776 rundll32.exe NOTEPAD.EXE PID 1776 wrote to memory of 760 1776 rundll32.exe NOTEPAD.EXE PID 1776 wrote to memory of 760 1776 rundll32.exe NOTEPAD.EXE PID 300 wrote to memory of 1652 300 chrome.exe chrome.exe PID 300 wrote to memory of 1652 300 chrome.exe chrome.exe PID 300 wrote to memory of 1652 300 chrome.exe chrome.exe PID 300 wrote to memory of 516 300 chrome.exe chrome.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Recovery_Instructions.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Recovery_Instructions.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\Opened.docx.ReadInstructions1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Opened.docx.ReadInstructions2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x56c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5f16e00,0x7fef5f16e10,0x7fef5f16e202⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1016 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1276 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:12⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
f2df1cb400eb8c68d332f4efe1a7041f
SHA1e803add9f704cf5a9c42a9ab8cad9f0a841c4c0f
SHA256be6e978642ff42c99f6d971a50d3e7955b87c7bbf9c3f0c7c11587d91d06dc6d
SHA51263a79cd8e8b99101fc2e9bd0605de757e8b80af1fa19af97bf9e1c7c4748fa8e3686fafa4fbe099f17f4365b2f51bdc5c8baded10cc32176e51c4e68095be516
-
C:\Users\Admin\Desktop\Recovery_Instructions.txtMD5
1c417faf805d8868ae01923118a70a5a
SHA1399c372efe377fea5241f500cc65dcef05bdfd35
SHA256454c2830a71762808e870931131de6fe3a5be0117e5b024b9147ef60f42f9f05
SHA512116725646b3533d3117085835553394f6d71b833bec2f2241de5778f6947495fa55652acea57f53fdb7a0b45fdf7470bd3acec2ab064d78ad2203863215a0f37
-
C:\Users\Admin\Documents\Opened.docx.ReadInstructionsMD5
a292c264997c8dc4c39f9173231e7d85
SHA123a6b9e6fe84fb161a6fc8ce81b047b13ca38060
SHA256d2c17703666a1a4634277813416abb5db13650bb242ad1b4a1deaa9047841374
SHA512a72348a8668778a67cfc1e331e3f15bec7bae2fa200a6a8be947071b1d861d07af8573511bec2b5b80913b41d2d54f80ab32f9f4165c90378201b97220ef274f
-
\??\pipe\crashpad_300_EWMTRBKPEKXNUTPKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/228-50-0x0000000000000000-mapping.dmp
-
memory/340-10-0x0000000000000000-mapping.dmp
-
memory/472-12-0x0000000000000000-mapping.dmp
-
memory/516-39-0x0000000077710000-0x0000000077711000-memory.dmpFilesize
4KB
-
memory/516-37-0x0000000000000000-mapping.dmp
-
memory/616-11-0x0000000000000000-mapping.dmp
-
memory/632-22-0x0000000000000000-mapping.dmp
-
memory/756-14-0x0000000000000000-mapping.dmp
-
memory/760-31-0x0000000000000000-mapping.dmp
-
memory/848-20-0x0000000000000000-mapping.dmp
-
memory/848-28-0x0000000000000000-mapping.dmp
-
memory/848-21-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/884-7-0x0000000000000000-mapping.dmp
-
memory/1080-8-0x0000000000000000-mapping.dmp
-
memory/1100-27-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB
-
memory/1100-15-0x0000000000000000-mapping.dmp
-
memory/1180-19-0x0000000000000000-mapping.dmp
-
memory/1260-45-0x0000000000000000-mapping.dmp
-
memory/1328-48-0x0000000000000000-mapping.dmp
-
memory/1424-5-0x0000000000000000-mapping.dmp
-
memory/1488-13-0x0000000000000000-mapping.dmp
-
memory/1608-42-0x0000000000000000-mapping.dmp
-
memory/1652-34-0x0000000000000000-mapping.dmp
-
memory/1652-6-0x0000000000000000-mapping.dmp
-
memory/1652-17-0x0000000000000000-mapping.dmp
-
memory/1664-18-0x0000000000000000-mapping.dmp
-
memory/1680-24-0x0000000000000000-mapping.dmp
-
memory/1768-38-0x0000000000000000-mapping.dmp
-
memory/1824-9-0x0000000000000000-mapping.dmp
-
memory/1904-4-0x000000013FD31000-0x000000013FDE9000-memory.dmpFilesize
736KB
-
memory/1904-2-0x000000013FD30000-0x0000000140571000-memory.dmpFilesize
8.3MB
-
memory/1904-3-0x000000013FD30000-0x0000000140571000-memory.dmpFilesize
8.3MB
-
memory/1984-16-0x0000000000000000-mapping.dmp