Analysis
-
max time kernel
274s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
04-12-2021 06:53
General
-
Target
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.zip
-
Size
41KB
-
MD5
f57a2e95937e7727c82b0782e1cdd0d0
-
SHA1
570ac30c3c40c62d67ac39e857e840b69908ed16
-
SHA256
e038bb439a412f1c98d22a9a4726fbe0747a8bbbb48a8d26ac4dcb039f29e53e
-
SHA512
be171554a26d962445b8a9238abc6faecd2398dc04305730ef44f03418f20971657254f04887c4dbbca87d0a360077cb9e4666747882ba4bdc82e8d567858647
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1042495040-510797905-2613508344-1000\DECRYPT_YOUR_FILES.HTML
fantomd12@yandex.ru
fantom12@techemail.com
Signatures
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.zip1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb661b4f50,0x7ffb661b4f60,0x7ffb661b4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5008 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3348 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1496,3563562144664272437,819025801762404994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb661b4f50,0x7ffb661b4f60,0x7ffb661b4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,8919184524490542283,4588488894980505321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Fantom.zip\Fantom.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
0871b10f67cc2f96d3fe59eca05fb749
SHA1f66b507311f1cd9c164515690f05852fad507218
SHA2568c23eeae8a86a7752802bbce08e8b09b56f15b72e9e000b7dd482a14d28ba2d4
SHA512947d4d1becac4bb067f6cecc67f309d2d520eb8d1caac34bb386c11d352d3b780dae79159c483385982762a07285764019828c3c5c9d22a277d00b84abc54aaf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.jsonMD5
90f880064a42b29ccff51fe5425bf1a3
SHA16a3cae3996e9fff653a1ddf731ced32b2be2acbf
SHA256965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268
SHA512d9cbfcd865356f19a57954f8fd952caf3d31b354112766c41892d1ef40bd2533682d4ec3f4da0e59a5397364f67a484b45091ba94e6c69ed18ab681403dfd3f3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.jsonMD5
0834821960cb5c6e9d477aef649cb2e4
SHA17d25f027d7cee9e94e9cbdee1f9220c8d20a1588
SHA25652a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69
SHA5129aeafc3ece295678242d81d71804e370900a6d4c6a618c5a81cacd869b84346feac92189e01718a7bb5c8226e9be88b063d2ece7cb0c84f17bb1af3c5b1a3fc4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8921.104.0.3_0\_metadata\computed_hashes.jsonMD5
f682f44ce864a2e29d4392bc38bf0d90
SHA1ed092858017640aa4a0748cd1f82581ba745b6d1
SHA256a5a4dc17ced4bbb2743f5d8a4e09ef28983fc9da83a8608777dbf6fb3d270a9b
SHA512b0b70a4e8572e3c8035ed6c34b898d62021bcc9cea6526d89754d664d7461a33e3853caca6e59d02ff7f2a0ac92ea96f1abf392a936825c30192825eba983a9a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8921.104.0.3_0\_metadata\verified_contents.jsonMD5
8e11336217e78dcf7bca9a9771b031c9
SHA1e90e58888d2f94b804dc46daa29cc983f88528bf
SHA25617a39b8542333edbd1dbae53857c1e140f6421565d00515d4eeaf31978073f87
SHA512e3cd3dc6cef3d940c60cf7d9ddc0c2eba07de077e3607a4c1b9876a1af6446ed6681c3598c131e510e646d737f5401049207335fd5c7e9e1c8feeba592912a57
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\FaviconsMD5
a7a0ef4682fce2ffae280301e0a536de
SHA12aa6379f05b5955605ba4c3cf988646586337b68
SHA25672f259526b8d7f2634adc4385000c3ff1597ee6d8aa74de172382be14d92808c
SHA5121cf3828c4094a1b551bb7e0911bd0eae1ba898da56c23480ef1c5af0cfadd5ead689eec3b67210f3142ef22596a0ca5025aa2e1a33959b5a03f4d39732f960d6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1MD5
9abf1adc35191f95e0963fe1684495f3
SHA1f774676e8de150c8ccd3a93e2373e5828ca14e14
SHA25636343eab638f2d37260ed4d801ea90f8023c289ae89ffd0ba354c216e6f10683
SHA512404ebfaaea35fd08d4610e85b3f59b29ff69f1aeb914e928c14298889586d6c8fbe9d47149d4b9ec91fab7248ca1ce9a3136ab75892de101e59f8bae85978629
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\HistoryMD5
182e5d8f6b710208fb97972ddfbb544d
SHA1eab415e3e6349802a24a4332ad85ac41d48638d3
SHA2565ba85387cbf3618628be45fa329dab56c6e9e42c92aaa88ae78197e317e77763
SHA512fe30a3b55d698484a76af5cf21fed412facb7fc454ce25a2bda7e48187888d70a8b93aaa044fd3f98f1ba79021d225a3a8732eccf55768a6eb0e0d7593f25586
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesMD5
b500f11f19e8fd304d10c34855a9956e
SHA14c054eb35a464d30a762d174d3ddce91aa03b339
SHA256ffe42a82690ce031b3c170a0ca80e53f997d6fc1ef9490d516cc570959d3dd9b
SHA512b756c6c9904f440f66f7237e440b8ce0003f215fd8585ed05d47cafede2b3309e55bfde0c7d64a85527aa917dd576806b6cade0fd36b51ce1badf1990e2668f9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesMD5
8d65e58abd052509dca38d482caa5df8
SHA19a7a898fe92856fbddf6cf185d1ad005528cc45f
SHA2560d784aa19b032c5e326b16e41bffa796894e4afc3818f89db7dedc7dc9eb24b3
SHA5120c889515ab3d98703c562c54a43665953f6cf9d70d1333c8e459bdba85cc362566dcc05fa0254ddf01f7d84ddc90c8e8b48b71b2ba0fd2deb38515cca292f895
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13280799877471190MD5
eb59ad8fc8a149c75ca8bdbd57629e8c
SHA11d065e03d0b8a109b5abdbe09b180beed4cd00b6
SHA2568ace1a7ea2ab655cad1f58288ff004020f01c4d97c3d2f55bb2fd6118c4ee39f
SHA5126391d617660ea4f561487feefbc8361850cd1d0d20d461d5422c801f57bca71205f6a51c4ce2f867c1e184b3dbc46f1ae0b9dfc8de0acfaef36247442c00436f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.logMD5
31c0ce88a05cfc456606c19d1a5ffefe
SHA17e33f57bd1ba0672ef1a9a2c6c74f2a9d40a82e0
SHA2564bb624d85d7471d34cbb80894931dde2c8ff22c9983974235ef10276d3ca7349
SHA512d49ff92060e67db03240e2f60dc3e662bf815e2640b83a9fea0769d6635448a13ba2b842d0ca99e7b5748cadc72bf31f9e020932eac45cc6926345539837d305
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOGMD5
1fa9138c19d98e9306a19d072f381a87
SHA1490e6c0c435d4dbf50f4457d8ae8bc78cb4ea1ee
SHA25608462ba7b3f1139515c85d0dbe32e529db6fdcaa9b8c6d0336ea639477b260ab
SHA512bf2979f5110c21b47cab74cfca123eba89990fa98e1d2d31a46203fc73a38478c9895f827dfc993dacdf073f4ec3cbb23e4e873694f2ce45dff334ece6214055
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logMD5
de92ad90be6d3364745b2f73f4c3cf73
SHA19158681463bd30e5af4dda4baac81f93cedbda77
SHA2560025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0
SHA5129e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOGMD5
1db9821d84dabdcb3495f41ea2f9178c
SHA1c2bba0baa961da756104a98786283cf265e82004
SHA256de75a438bd079e9c023b8d0a80a0169cf94bb9c7202993a7afe5114f70941c7b
SHA5121c3b1fdd122700e39a0de1925d1ac4acdc731a73c185d54e4f367e09665ce374528272abb13ed45ab5c33bc079b07af23efda20746320fb8a785bfe589f20181
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited LinksMD5
b149f4c4b5eecfc8ea23e58c3a984e46
SHA14a29d826d317df230c12f4edf5edcf400cd380ba
SHA256fcf71edbdba106409d616a2bcacd112055a13c5feb742e8677295e236f438821
SHA512d82e0ad86e9d51f506c22d539165499a6a8b0951dc8b682604ecc89a1ed6ddfd6718ff6b67f3a062bbf369d66a22d8090af7d5700352220222dbc2cb85cbae29
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_1MD5
ce0eabba9d6ce7021954f299e443188d
SHA1f0840f3cb67cba1eba883b6a6d4c9f3d8d164ac6
SHA2564f688b63c573157c9e1c2acb3c61eb3ed5347ba2a5f7d4153ec74d3958c56600
SHA5127843eb8606008043c5b6362c4ca10ddbb4f59fe3c66346d447d8a99fc58c4a40a7a2f78a9c29bb0ba444b652d3b38ca15c587a2346e2d31527c2a702d97054b6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last VersionMD5
b63048c4e7e52c52053d25da30d9c5ab
SHA1679a44d402f5ec24605719e06459f5a707989187
SHA256389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateMD5
a00513c54879f3622105767634a40db9
SHA149f6c33644b0fb8ec0ea885ef8ee7c2e1ae1f378
SHA256588e0cd86838d3423bf7ef638f3b97d09dcf3a85ec46395dcc6362a0141213aa
SHA512e1f47531ad9a9a976557eb391ecbc37ee0130d5ebaa3019a52fec1ccc6ef3848ebde20df381da9508ca91d86eff7dcc8c2a4b60a09807ce4abe976c6dedbe2e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1MD5
866dcf9707e6502a7bd7b890b185e613
SHA1b89211f0baa3e6aa8e0c0e290e6dd5e9c6fdec9c
SHA256f80cf96dca38a3d30deee0a54145ed05aca4361960034f1e990180fda7f52531
SHA5124fb6b2597afb064b168b46f991830f43f35f503f9c4d990e8930a9cf66afea4cce6519b063316a38711cede872dd18259c132c3007302e61973358db35af0039
-
\??\pipe\crashpad_3936_JKSJMVZTXYFVKKBIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_4132_EPVQPQVSDCVWTWKRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/372-143-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/372-148-0x0000000004CB3000-0x0000000004CB4000-memory.dmpFilesize
4KB
-
memory/372-141-0x00000000022B0000-0x00000000022DC000-memory.dmpFilesize
176KB
-
memory/372-144-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/372-145-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/372-146-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/372-147-0x0000000004CB2000-0x0000000004CB3000-memory.dmpFilesize
4KB
-
memory/372-142-0x00000000024C0000-0x00000000024EB000-memory.dmpFilesize
172KB
-
memory/372-149-0x0000000004CB4000-0x0000000004CB6000-memory.dmpFilesize
8KB
-
memory/372-150-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/372-151-0x00000000067A0000-0x00000000067A9000-memory.dmpFilesize
36KB
-
memory/4288-152-0x0000000000000000-mapping.dmp
-
memory/4288-153-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/4288-155-0x000000001B270000-0x000000001B272000-memory.dmpFilesize
8KB