Resubmissions
24-01-2022 18:12
220124-ws75xsgcf6 114-01-2022 15:34
220114-szqyfahceq 1008-01-2022 19:45
220108-ygvfssdbh9 1008-01-2022 19:45
220108-ygvfssdbh8 1008-01-2022 19:34
220108-x95xkadbh3 807-01-2022 14:28
220107-rsy5sscda4 1006-01-2022 19:07
220106-xszdfsbee2 10Analysis
-
max time kernel
318s -
max time network
351s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-12-2021 17:50
Static task
static1
URLScan task
urlscan1
Sample
https://youtube.com
Behavioral task
behavioral1
Sample
https://youtube.com
Resource
win10-en-20211208
General
-
Target
https://youtube.com
Malware Config
Extracted
C:\HJPEH-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/c51f259fdf60d9
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
Birele.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\Ransomware\\Birele.exe" Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 5092 created 4216 5092 WerFault.exe mshta.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 10 IoCs
Processes:
software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exenc123.exemssql.exemssql2.exe472.tmpsystem.exeWindowsUpdate.exepid process 3168 software_reporter_tool.exe 3960 software_reporter_tool.exe 1064 software_reporter_tool.exe 2336 software_reporter_tool.exe 4432 nc123.exe 4480 mssql.exe 4516 mssql2.exe 4736 472.tmp 4780 system.exe 3792 WindowsUpdate.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 33 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
GandCrab.exeInfinityCrypt.exeDeriaLock.exerundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\SwitchGroup.png.deria => C:\Users\Admin\Pictures\SwitchGroup.png.deria.hjpeh GandCrab.exe File opened for modification C:\Users\Admin\Pictures\SyncDisable.crw.deria GandCrab.exe File renamed C:\Users\Admin\Pictures\SyncDisable.crw.deria => C:\Users\Admin\Pictures\SyncDisable.crw.deria.hjpeh GandCrab.exe File opened for modification C:\Users\Admin\Pictures\UnregisterGrant.tiff.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromAssert.tif.deria DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\UnregisterGrant.tiff.deria GandCrab.exe File opened for modification C:\Users\Admin\Pictures\SwitchGroup.png.deria DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\UnregisterGrant.tiff.deria DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromAssert.tif.deria GandCrab.exe File opened for modification C:\Users\Admin\Pictures\StartResize.png.deria DeriaLock.exe File renamed C:\Users\Admin\Pictures\UnprotectComplete.png.deria => C:\Users\Admin\Pictures\UnprotectComplete.png.deria.hjpeh GandCrab.exe File opened for modification C:\Users\Admin\Pictures\StartResize.png.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\SwitchGroup.png.deria GandCrab.exe File opened for modification C:\Users\Admin\Pictures\DisableOptimize.tif.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\SwitchGroup.png.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\UnregisterGrant.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\DisableOptimize.tif.deria DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\SkipComplete.raw.deria GandCrab.exe File renamed C:\Users\Admin\Pictures\SkipComplete.raw.deria => C:\Users\Admin\Pictures\SkipComplete.raw.deria.hjpeh GandCrab.exe File renamed C:\Users\Admin\Pictures\ConvertFromAssert.tif.deria => C:\Users\Admin\Pictures\ConvertFromAssert.tif.deria.hjpeh GandCrab.exe File opened for modification C:\Users\Admin\Pictures\StartResize.png.deria GandCrab.exe File renamed C:\Users\Admin\Pictures\StartResize.png.deria => C:\Users\Admin\Pictures\StartResize.png.deria.hjpeh GandCrab.exe File renamed C:\Users\Admin\Pictures\UnregisterGrant.tiff.deria => C:\Users\Admin\Pictures\UnregisterGrant.tiff.deria.hjpeh GandCrab.exe File opened for modification C:\Users\Admin\Pictures\SkipComplete.raw.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\SyncDisable.crw.deria DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\UnprotectComplete.png.deria DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\DisableOptimize.tif.deria GandCrab.exe File renamed C:\Users\Admin\Pictures\DisableOptimize.tif.deria => C:\Users\Admin\Pictures\DisableOptimize.tif.deria.hjpeh GandCrab.exe File opened for modification C:\Users\Admin\Pictures\UnprotectComplete.png.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\SkipComplete.raw.deria DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\UnprotectComplete.png.deria GandCrab.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromAssert.tif.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\SyncDisable.crw.deria.hjpeh.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe -
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule behavioral1/memory/996-165-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Drops startup file 7 IoCs
Processes:
GandCrab.exeCerber5.exeDeriaLock.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HJPEH-MANUAL.txt GandCrab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\fdf6739fdf60d3514.lock GandCrab.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ Cerber5.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\hjpeh-manual.txt Cerber5.exe File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\_R_E_A_D___T_H_I_S___RB22MF19_.hta Cerber5.exe File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\_R_E_A_D___T_H_I_S___LOCV_.txt Cerber5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe DeriaLock.exe -
Loads dropped DLL 7 IoCs
Processes:
software_reporter_tool.exepid process 1064 software_reporter_tool.exe 1064 software_reporter_tool.exe 1064 software_reporter_tool.exe 1064 software_reporter_tool.exe 1064 software_reporter_tool.exe 1064 software_reporter_tool.exe 1064 software_reporter_tool.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Birele.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Birele.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Desktop\\Ransomware\\Birele.exe" Birele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GandCrab.exeCerber5.exedescription ioc process File opened (read-only) \??\M: GandCrab.exe File opened (read-only) \??\W: GandCrab.exe File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\r: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\H: GandCrab.exe File opened (read-only) \??\I: GandCrab.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\O: GandCrab.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\P: GandCrab.exe File opened (read-only) \??\T: GandCrab.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\S: GandCrab.exe File opened (read-only) \??\V: GandCrab.exe File opened (read-only) \??\Y: GandCrab.exe File opened (read-only) \??\Z: GandCrab.exe File opened (read-only) \??\Q: GandCrab.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\m: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\F: GandCrab.exe File opened (read-only) \??\N: GandCrab.exe File opened (read-only) \??\J: GandCrab.exe File opened (read-only) \??\K: GandCrab.exe File opened (read-only) \??\R: GandCrab.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\B: GandCrab.exe File opened (read-only) \??\X: GandCrab.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\t: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\b: Cerber5.exe File opened (read-only) \??\f: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\j: Cerber5.exe File opened (read-only) \??\A: GandCrab.exe File opened (read-only) \??\E: GandCrab.exe File opened (read-only) \??\G: GandCrab.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\L: GandCrab.exe File opened (read-only) \??\U: GandCrab.exe -
Drops file in System32 directory 38 IoCs
Processes:
Cerber5.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office Cerber5.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server Cerber5.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
Processes:
Cerber5.exe$uckyLocker.exeGandCrab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp65AD.bmp" Cerber5.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" GandCrab.exe -
Drops file in Program Files directory 64 IoCs
Processes:
InfinityCrypt.exeFantom.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak Fantom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar Fantom.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File created C:\Program Files\Common Files\System\es-ES\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar Fantom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar Fantom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt Fantom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses-hover.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\s_empty_folder_state.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo_2x.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt Fantom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar Fantom.exe -
Drops file in Windows directory 64 IoCs
Processes:
BadRabbit.exeCerber5.exeWerFault.exerundll32.exedescription ioc process File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office Cerber5.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! Cerber5.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\472.tmp rundll32.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird Cerber5.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server Cerber5.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook Cerber5.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5092 4216 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
InfinityCrypt.exeGandCrab.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InfinityCrypt.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
SCHTASKS.exeschtasks.exeschtasks.exepid process 4852 SCHTASKS.exe 5068 schtasks.exe 5080 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4420 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4100 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
chrome.exeCerber5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Cerber5.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 5104 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exerundll32.exeGandCrab.exe472.tmpDeriaLock.exepid process 3504 chrome.exe 3504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2112 chrome.exe 2112 chrome.exe 1976 chrome.exe 1976 chrome.exe 3992 chrome.exe 3992 chrome.exe 2848 chrome.exe 2848 chrome.exe 2832 chrome.exe 2832 chrome.exe 1364 chrome.exe 1364 chrome.exe 2160 chrome.exe 2160 chrome.exe 3084 chrome.exe 3084 chrome.exe 3084 chrome.exe 3084 chrome.exe 3168 software_reporter_tool.exe 3168 software_reporter_tool.exe 4132 rundll32.exe 4132 rundll32.exe 4132 rundll32.exe 4132 rundll32.exe 1040 GandCrab.exe 1040 GandCrab.exe 1040 GandCrab.exe 1040 GandCrab.exe 4736 472.tmp 4736 472.tmp 4736 472.tmp 4736 472.tmp 4736 472.tmp 4736 472.tmp 4736 472.tmp 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe 4024 DeriaLock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mssql.exepid process 4480 mssql.exe -
Suspicious behavior: LoadsDriver 32 IoCs
Processes:
mssql.exepid process 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe 4480 mssql.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
chrome.exepid process 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeFantom.exerundll32.exeDeriaLock.exetaskkill.exemssql.exemssql2.exe472.tmpCerber5.exevssvc.exeWerFault.exeshutdown.exeInfinityCrypt.exedescription pid process Token: 33 3960 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 3960 software_reporter_tool.exe Token: 33 3168 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 3168 software_reporter_tool.exe Token: 33 1064 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 1064 software_reporter_tool.exe Token: 33 2336 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 2336 software_reporter_tool.exe Token: SeDebugPrivilege 1716 Fantom.exe Token: SeShutdownPrivilege 4132 rundll32.exe Token: SeDebugPrivilege 4132 rundll32.exe Token: SeTcbPrivilege 4132 rundll32.exe Token: SeDebugPrivilege 4024 DeriaLock.exe Token: SeDebugPrivilege 4100 taskkill.exe Token: SeDebugPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeDebugPrivilege 4516 mssql2.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeLoadDriverPrivilege 4480 mssql.exe Token: SeDebugPrivilege 4736 472.tmp Token: SeShutdownPrivilege 3252 Cerber5.exe Token: SeCreatePagefilePrivilege 3252 Cerber5.exe Token: SeBackupPrivilege 684 vssvc.exe Token: SeRestorePrivilege 684 vssvc.exe Token: SeAuditPrivilege 684 vssvc.exe Token: SeRestorePrivilege 5092 WerFault.exe Token: SeBackupPrivilege 5092 WerFault.exe Token: SeBackupPrivilege 5092 WerFault.exe Token: SeDebugPrivilege 5092 WerFault.exe Token: SeShutdownPrivilege 4440 shutdown.exe Token: SeRemoteShutdownPrivilege 4440 shutdown.exe Token: SeDebugPrivilege 3592 InfinityCrypt.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe 2504 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mssql.exemssql2.exeLogonUI.exepid process 4480 mssql.exe 4516 mssql2.exe 4480 mssql.exe 2620 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2504 wrote to memory of 2544 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 2544 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 944 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3504 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3504 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe PID 2504 wrote to memory of 3760 2504 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe70c84f50,0x7ffe70c84f60,0x7ffe70c84f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6008 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3220 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=RuRBqrIGEQGpF+GadOfc7Y+eOqwPasJcIH6+dADS --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=96.276.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6d3e5f510,0x7ff6d3e5f520,0x7ff6d3e5f5303⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3168_OYDKRCEKIUBFRSKC" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=1791137155801378184 --mojo-platform-channel-handle=696 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3168_OYDKRCEKIUBFRSKC" --sandboxed-process-id=3 --init-done-notifier=924 --sandbox-mojo-pipe-token=10874859809171559376 --mojo-platform-channel-handle=9203⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1284 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Ransomware\Cerber5.exe"C:\Users\Admin\Desktop\Ransomware\Cerber5.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___993VY9PI_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 17403⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___FKSIT4GL_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵
-
C:\Users\Admin\Desktop\Ransomware\DeriaLock.exe"C:\Users\Admin\Desktop\Ransomware\DeriaLock.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\Dharma.exe"C:\Users\Admin\Desktop\Ransomware\Dharma.exe"1⤵
-
C:\Users\Admin\Desktop\Ransomware\ac\nc123.exe"C:\Users\Admin\Desktop\Ransomware\ac\nc123.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Users\Admin\Desktop\Ransomware\ac\mssql.exe"C:\Users\Admin\Desktop\Ransomware\ac\mssql.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Ransomware\ac\mssql2.exe"C:\Users\Admin\Desktop\Ransomware\ac\mssql2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Ransomware\Fantom.exe"C:\Users\Admin\Desktop\Ransomware\Fantom.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Ransomware\$uckyLocker.exe"C:\Users\Admin\Desktop\Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
-
C:\Users\Admin\Desktop\Ransomware\7ev3n.exe"C:\Users\Admin\Desktop\Ransomware\7ev3n.exe"1⤵
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\InfinityCrypt.exe"C:\Users\Admin\Desktop\Ransomware\InfinityCrypt.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\Birele.exe"C:\Users\Admin\Desktop\Ransomware\Birele.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\BadRabbit.exe"C:\Users\Admin\Desktop\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1993666915 && exit"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1993666915 && exit"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:21:003⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:21:004⤵
- Creates scheduled task(s)
-
C:\Windows\472.tmp"C:\Windows\472.tmp" \\.\pipe\{4924D939-AC2A-4061-BECF-A47ECD476C0E}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\GandCrab.exe"C:\Users\Admin\Desktop\Ransomware\GandCrab.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ada055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
5Bypass User Account Control
1Disabling Security Tools
1File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.logMD5
7b81fca6115c56acb733d797848b4a74
SHA11da4b834dd386e43fb4a7e5fa24b2d0d38710e19
SHA2560e38101a328e4358bbc9b820af72fc1baefe1ec5ec3a72c152d712d1d8d0d6d1
SHA512cb02008389116b9ec1b98dbda65e9bcb1846f0607527e92154b5c8df4e4f954b72fc64bfaa97c5af9ea2179cfe9dc9d129fbf21d1ff57ae2eb64ceb53e1bb8dd
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
4970c6281b87fe28ada9147960a5cbbd
SHA12fb75e20a63355cf4ceef892a266ed2d27b4dea1
SHA256c5c0263e3adfb60840d0dba02b121781167b27e1be3c5a0635d44e7731e932a6
SHA512fc0af1aa89a03dbfca77c77bc8c61de7f02629487281b45f06e195fdd1ae76f3b6eee8b8e06085dd60bfc693f6184b8a9e6bdb3fe566375e5c0a9ee09071f41d
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
4970c6281b87fe28ada9147960a5cbbd
SHA12fb75e20a63355cf4ceef892a266ed2d27b4dea1
SHA256c5c0263e3adfb60840d0dba02b121781167b27e1be3c5a0635d44e7731e932a6
SHA512fc0af1aa89a03dbfca77c77bc8c61de7f02629487281b45f06e195fdd1ae76f3b6eee8b8e06085dd60bfc693f6184b8a9e6bdb3fe566375e5c0a9ee09071f41d
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
4970c6281b87fe28ada9147960a5cbbd
SHA12fb75e20a63355cf4ceef892a266ed2d27b4dea1
SHA256c5c0263e3adfb60840d0dba02b121781167b27e1be3c5a0635d44e7731e932a6
SHA512fc0af1aa89a03dbfca77c77bc8c61de7f02629487281b45f06e195fdd1ae76f3b6eee8b8e06085dd60bfc693f6184b8a9e6bdb3fe566375e5c0a9ee09071f41d
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\edls_64.dllMD5
e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em000_64.dllMD5
d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em001_64.dllMD5
7adcb76ec34d774d1435b477e8625c47
SHA1ec4ba0ad028c45489608c6822f3cabb683a07064
SHA256a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d
SHA512c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em002_64.dllMD5
8398e65877faf2f60a611aed37c7d638
SHA1b21222cda1590ead5e07f9253ac08ea4796a0031
SHA256f8ae1f73552c0881660fc4c1c6690a73097e535f6b93b3d9d263c03fe309183f
SHA5123ac54c58bab7a78164e2f536d02349ba36c83e904807a20889f0203de29ae217e4d7a12e4be40bf37f5757a329753475e30ebe720791afdc8f84251f5f159767
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em003_64.dllMD5
3c4af468709f2d586ab4c2819633616c
SHA1965fb6969acadcec77cc9918153b01f56fc209cd
SHA25616bc60d0297ffff802d1b270bca8fded4339ac2f255f50e2a632dffbf369a6c8
SHA512ef2808b02700dc70ecaed4aed3056b196ae38028c9caebace88da058b51c81b264343d045be76cd592737117c1cb1ab6d5291fb344783213f34609ce7ea6970a
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em004_64.dllMD5
68258a5cff71fdaf66bc1ef5da5ac004
SHA1aed0bd7481c36175b3f8267caeab0b3c0fc06520
SHA2569737130b8f090a39e27dd71685315dc5e7c1b6b8a251ac0b9788871d574d7710
SHA5126c4ca70593f83703db1cfb2f24465939a27e771e1e465dee27baf04b202e42653f26ed8713092fabc5b2f82394644295a597c5cb38a1db49eb1a7f0a7f67d8c6
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em005_64.dllMD5
169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
\??\pipe\crashpad_2504_HLYNNVJGPOLDBCFXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_3168_OYDKRCEKIUBFRSKCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\edls_64.dllMD5
e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em000_64.dllMD5
d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em001_64.dllMD5
7adcb76ec34d774d1435b477e8625c47
SHA1ec4ba0ad028c45489608c6822f3cabb683a07064
SHA256a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d
SHA512c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em002_64.dllMD5
8398e65877faf2f60a611aed37c7d638
SHA1b21222cda1590ead5e07f9253ac08ea4796a0031
SHA256f8ae1f73552c0881660fc4c1c6690a73097e535f6b93b3d9d263c03fe309183f
SHA5123ac54c58bab7a78164e2f536d02349ba36c83e904807a20889f0203de29ae217e4d7a12e4be40bf37f5757a329753475e30ebe720791afdc8f84251f5f159767
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em003_64.dllMD5
3c4af468709f2d586ab4c2819633616c
SHA1965fb6969acadcec77cc9918153b01f56fc209cd
SHA25616bc60d0297ffff802d1b270bca8fded4339ac2f255f50e2a632dffbf369a6c8
SHA512ef2808b02700dc70ecaed4aed3056b196ae38028c9caebace88da058b51c81b264343d045be76cd592737117c1cb1ab6d5291fb344783213f34609ce7ea6970a
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em004_64.dllMD5
68258a5cff71fdaf66bc1ef5da5ac004
SHA1aed0bd7481c36175b3f8267caeab0b3c0fc06520
SHA2569737130b8f090a39e27dd71685315dc5e7c1b6b8a251ac0b9788871d574d7710
SHA5126c4ca70593f83703db1cfb2f24465939a27e771e1e465dee27baf04b202e42653f26ed8713092fabc5b2f82394644295a597c5cb38a1db49eb1a7f0a7f67d8c6
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em005_64.dllMD5
169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
memory/308-227-0x0000000000000000-mapping.dmp
-
memory/732-229-0x0000000000000000-mapping.dmp
-
memory/820-228-0x0000000000000000-mapping.dmp
-
memory/996-167-0x0000000000520000-0x0000000000526000-memory.dmpFilesize
24KB
-
memory/996-165-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1040-214-0x0000000000400000-0x00000000052B3000-memory.dmpFilesize
78.7MB
-
memory/1064-128-0x000001A061CC0000-0x000001A061CC2000-memory.dmpFilesize
8KB
-
memory/1064-125-0x000001A061D37000-0x000001A061D38000-memory.dmpFilesize
4KB
-
memory/1064-131-0x00007FFE7DC20000-0x00007FFE7DC21000-memory.dmpFilesize
4KB
-
memory/1064-130-0x00007FFE7E090000-0x00007FFE7E091000-memory.dmpFilesize
4KB
-
memory/1064-126-0x0000000000000000-mapping.dmp
-
memory/1064-129-0x000001A061CC0000-0x000001A061CC2000-memory.dmpFilesize
8KB
-
memory/1092-226-0x0000000000000000-mapping.dmp
-
memory/1716-196-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1716-201-0x0000000004963000-0x0000000004964000-memory.dmpFilesize
4KB
-
memory/1716-243-0x0000000005300000-0x000000000530E000-memory.dmpFilesize
56KB
-
memory/1716-185-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1716-191-0x00000000050B0000-0x00000000050BA000-memory.dmpFilesize
40KB
-
memory/1716-179-0x0000000004970000-0x0000000004E6E000-memory.dmpFilesize
5.0MB
-
memory/1716-183-0x0000000004ED0000-0x0000000004F62000-memory.dmpFilesize
584KB
-
memory/1716-162-0x00000000022C0000-0x00000000022F2000-memory.dmpFilesize
200KB
-
memory/1716-199-0x0000000004962000-0x0000000004963000-memory.dmpFilesize
4KB
-
memory/1716-168-0x00000000048F0000-0x0000000004922000-memory.dmpFilesize
200KB
-
memory/1716-181-0x0000000004964000-0x0000000004966000-memory.dmpFilesize
8KB
-
memory/2164-237-0x0000000000000000-mapping.dmp
-
memory/2336-148-0x0000000000000000-mapping.dmp
-
memory/2336-150-0x000002355BC30000-0x000002355BC32000-memory.dmpFilesize
8KB
-
memory/2336-147-0x000002355BCAE000-0x000002355BCAF000-memory.dmpFilesize
4KB
-
memory/2336-151-0x000002355BC30000-0x000002355BC32000-memory.dmpFilesize
8KB
-
memory/2688-234-0x0000000000000000-mapping.dmp
-
memory/2832-193-0x0000000004C80000-0x000000000517E000-memory.dmpFilesize
5.0MB
-
memory/2832-166-0x0000000000310000-0x000000000037E000-memory.dmpFilesize
440KB
-
memory/2832-175-0x0000000005180000-0x000000000567E000-memory.dmpFilesize
5.0MB
-
memory/2832-180-0x0000000004BC0000-0x0000000004C52000-memory.dmpFilesize
584KB
-
memory/2832-209-0x0000000004C80000-0x000000000517E000-memory.dmpFilesize
5.0MB
-
memory/2832-190-0x0000000004BB0000-0x0000000004BBA000-memory.dmpFilesize
40KB
-
memory/2832-161-0x0000000000310000-0x000000000037E000-memory.dmpFilesize
440KB
-
memory/3056-158-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/3056-159-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/3168-119-0x000002085D440000-0x000002085D442000-memory.dmpFilesize
8KB
-
memory/3168-118-0x000002085D440000-0x000002085D442000-memory.dmpFilesize
8KB
-
memory/3168-116-0x0000000000000000-mapping.dmp
-
memory/3252-176-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3252-172-0x0000000001640000-0x0000000001671000-memory.dmpFilesize
196KB
-
memory/3256-233-0x0000000000000000-mapping.dmp
-
memory/3592-178-0x0000000005C90000-0x000000000618E000-memory.dmpFilesize
5.0MB
-
memory/3592-194-0x0000000005650000-0x000000000565A000-memory.dmpFilesize
40KB
-
memory/3592-182-0x0000000005790000-0x0000000005822000-memory.dmpFilesize
584KB
-
memory/3592-252-0x00000000015A0000-0x0000000001606000-memory.dmpFilesize
408KB
-
memory/3592-170-0x0000000000E00000-0x0000000000E3C000-memory.dmpFilesize
240KB
-
memory/3592-163-0x0000000000E00000-0x0000000000E3C000-memory.dmpFilesize
240KB
-
memory/3592-189-0x0000000005790000-0x0000000005C8E000-memory.dmpFilesize
5.0MB
-
memory/3592-173-0x00000000056F0000-0x000000000578C000-memory.dmpFilesize
624KB
-
memory/3592-253-0x0000000005790000-0x0000000005C8E000-memory.dmpFilesize
5.0MB
-
memory/3592-197-0x00000000058F0000-0x0000000005946000-memory.dmpFilesize
344KB
-
memory/3676-232-0x0000000000000000-mapping.dmp
-
memory/3680-236-0x0000000000000000-mapping.dmp
-
memory/3708-231-0x0000000000000000-mapping.dmp
-
memory/3792-244-0x0000000000000000-mapping.dmp
-
memory/3792-245-0x0000000000830000-0x000000000083C000-memory.dmpFilesize
48KB
-
memory/3792-246-0x0000000000830000-0x000000000083C000-memory.dmpFilesize
48KB
-
memory/3792-247-0x000000001C930000-0x000000001C932000-memory.dmpFilesize
8KB
-
memory/3956-235-0x0000000000000000-mapping.dmp
-
memory/3960-123-0x0000014F4DB60000-0x0000014F4DB62000-memory.dmpFilesize
8KB
-
memory/3960-122-0x0000014F4DB60000-0x0000014F4DB62000-memory.dmpFilesize
8KB
-
memory/3960-120-0x0000000000000000-mapping.dmp
-
memory/4024-169-0x0000000004DE0000-0x0000000004E7C000-memory.dmpFilesize
624KB
-
memory/4024-192-0x0000000004EA0000-0x0000000004EAA000-memory.dmpFilesize
40KB
-
memory/4024-164-0x0000000000570000-0x00000000005F2000-memory.dmpFilesize
520KB
-
memory/4024-186-0x0000000004EE0000-0x00000000053DE000-memory.dmpFilesize
5.0MB
-
memory/4024-208-0x0000000004EE0000-0x00000000053DE000-memory.dmpFilesize
5.0MB
-
memory/4024-195-0x00000000050E0000-0x0000000005136000-memory.dmpFilesize
344KB
-
memory/4024-160-0x0000000000570000-0x00000000005F2000-memory.dmpFilesize
520KB
-
memory/4024-174-0x00000000053E0000-0x00000000058DE000-memory.dmpFilesize
5.0MB
-
memory/4024-177-0x0000000004F80000-0x0000000005012000-memory.dmpFilesize
584KB
-
memory/4100-184-0x0000000000000000-mapping.dmp
-
memory/4116-250-0x0000000000000000-mapping.dmp
-
memory/4132-200-0x0000000000670000-0x00000000006D8000-memory.dmpFilesize
416KB
-
memory/4132-206-0x0000000000670000-0x00000000006D8000-memory.dmpFilesize
416KB
-
memory/4132-187-0x0000000000000000-mapping.dmp
-
memory/4152-248-0x0000000000000000-mapping.dmp
-
memory/4156-188-0x0000000000000000-mapping.dmp
-
memory/4216-240-0x0000000000000000-mapping.dmp
-
memory/4268-230-0x0000000000000000-mapping.dmp
-
memory/4344-238-0x0000000000000000-mapping.dmp
-
memory/4356-207-0x0000000000000000-mapping.dmp
-
memory/4420-239-0x0000000000000000-mapping.dmp
-
memory/4432-210-0x0000000000000000-mapping.dmp
-
memory/4440-251-0x0000000000000000-mapping.dmp
-
memory/4480-211-0x0000000000000000-mapping.dmp
-
memory/4508-249-0x0000000000000000-mapping.dmp
-
memory/4516-212-0x0000000000000000-mapping.dmp
-
memory/4516-213-0x0000000002963000-0x0000000002966000-memory.dmpFilesize
12KB
-
memory/4644-215-0x0000000000000000-mapping.dmp
-
memory/4688-216-0x0000000000000000-mapping.dmp
-
memory/4736-217-0x0000000000000000-mapping.dmp
-
memory/4780-218-0x0000000000000000-mapping.dmp
-
memory/4804-219-0x0000000000000000-mapping.dmp
-
memory/4824-220-0x0000000000000000-mapping.dmp
-
memory/4852-221-0x0000000000000000-mapping.dmp
-
memory/4864-242-0x0000000000000000-mapping.dmp
-
memory/4896-222-0x0000000000000000-mapping.dmp
-
memory/5068-223-0x0000000000000000-mapping.dmp
-
memory/5080-224-0x0000000000000000-mapping.dmp
-
memory/5104-241-0x0000000000000000-mapping.dmp
-
memory/5112-225-0x0000000000000000-mapping.dmp