Overview

overview

10

Static

static

Avos_18_07...KB.exe

windows7_x64

10

Analysis

  • max time kernel
    385s
  • max time network
    366s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-01-2022 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Avos_18_07_2021_403KB.exe

  • Size

    402KB

  • MD5

    de6152b2b3a181509c5d71a332a75043

  • SHA1

    d62c0ad2ec132065c5807c0fe7a4cabcba34cf29

  • SHA256

    01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f

  • SHA512

    99df08f8c0d966c1ca866cc414939ee9ff23a044496497edd5c64fb83a7011718183272f9001dec97111a8e8387218632c7ef6a9f00644e01363540002f5b0d4

Score
10/10
avoslockerransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note
Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Your ID: a897b099bf811da5f3a69ceedd351c4f9afac28b8d72f4544d4d6a521209ad24
URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Downloads MZ/PE file
  • Executes dropped EXE 22 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Avos_18_07_2021_403KB.exe
    "C:\Users\Admin\AppData\Local\Temp\Avos_18_07_2021_403KB.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    PID:1776
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1604
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1932
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    • Suspicious use of FindShellTrayWindow
    PID:112
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a64f50,0x7fef6a64f60,0x7fef6a64f70
      2⤵
        PID:548
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1092 /prefetch:2
        2⤵
          PID:780
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1260 /prefetch:8
          2⤵
            PID:1208
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8
            2⤵
              PID:1536
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
              2⤵
                PID:1596
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
                2⤵
                  PID:612
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
                  2⤵
                    PID:2080
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1120 /prefetch:2
                    2⤵
                      PID:2148
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=828 /prefetch:1
                      2⤵
                        PID:2192
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:8
                        2⤵
                          PID:2252
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3232 /prefetch:8
                          2⤵
                            PID:2260
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
                            2⤵
                              PID:2340
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
                              2⤵
                                PID:2428
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1
                                2⤵
                                  PID:2488
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:8
                                  2⤵
                                    PID:2592
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:8
                                    2⤵
                                      PID:2628
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:8
                                      2⤵
                                        PID:2672
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2368 /prefetch:8
                                        2⤵
                                          PID:2680
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8
                                          2⤵
                                            PID:2688
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
                                            2⤵
                                              PID:2696
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 /prefetch:8
                                              2⤵
                                                PID:2732
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:8
                                                2⤵
                                                  PID:2768
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3488 /prefetch:8
                                                  2⤵
                                                    PID:2916
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
                                                    2⤵
                                                      PID:2924
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
                                                      2⤵
                                                        PID:2988
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
                                                        2⤵
                                                          PID:3048
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3264 /prefetch:8
                                                          2⤵
                                                            PID:1600
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:8
                                                            2⤵
                                                              PID:2120
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:8
                                                              2⤵
                                                                PID:2132
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
                                                                2⤵
                                                                  PID:2264
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
                                                                  2⤵
                                                                    PID:2252
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:8
                                                                    2⤵
                                                                      PID:876
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:8
                                                                      2⤵
                                                                        PID:2204
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
                                                                        2⤵
                                                                          PID:2320
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
                                                                          2⤵
                                                                            PID:2212
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
                                                                            2⤵
                                                                              PID:2428
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
                                                                              2⤵
                                                                                PID:2632
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2100 /prefetch:8
                                                                                2⤵
                                                                                  PID:2704
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1744 /prefetch:8
                                                                                  2⤵
                                                                                    PID:2712
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:8
                                                                                    2⤵
                                                                                      PID:2488
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:8
                                                                                      2⤵
                                                                                        PID:2848
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4048 /prefetch:8
                                                                                        2⤵
                                                                                          PID:2856
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
                                                                                          2⤵
                                                                                            PID:2860
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:8
                                                                                            2⤵
                                                                                              PID:2852
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3556 /prefetch:8
                                                                                              2⤵
                                                                                                PID:2124
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:8
                                                                                                2⤵
                                                                                                  PID:2160
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3360 /prefetch:8
                                                                                                  2⤵
                                                                                                    PID:2140
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
                                                                                                    2⤵
                                                                                                      PID:2260
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
                                                                                                      2⤵
                                                                                                        PID:2292
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
                                                                                                        2⤵
                                                                                                          PID:2128
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
                                                                                                          2⤵
                                                                                                            PID:1632
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:8
                                                                                                            2⤵
                                                                                                              PID:2244
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
                                                                                                              2⤵
                                                                                                                PID:2456
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1
                                                                                                                2⤵
                                                                                                                  PID:2396
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:8
                                                                                                                  2⤵
                                                                                                                    PID:2472
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=764 /prefetch:8
                                                                                                                    2⤵
                                                                                                                      PID:2900
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1592 /prefetch:8
                                                                                                                      2⤵
                                                                                                                        PID:2792
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
                                                                                                                        2⤵
                                                                                                                          PID:2636
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
                                                                                                                          2⤵
                                                                                                                            PID:3068
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 /prefetch:8
                                                                                                                            2⤵
                                                                                                                            • Loads dropped DLL
                                                                                                                            PID:2680
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10903846938737078337,5914357124061385417,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3624 /prefetch:8
                                                                                                                            2⤵
                                                                                                                            • Loads dropped DLL
                                                                                                                            PID:2724
                                                                                                                          • C:\Users\Admin\Downloads\torbrowser-install-win64-11.0.4_en-US.exe
                                                                                                                            "C:\Users\Admin\Downloads\torbrowser-install-win64-11.0.4_en-US.exe"
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Loads dropped DLL
                                                                                                                            PID:2420
                                                                                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Checks processor information in registry
                                                                                                                              PID:1940
                                                                                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2284
                                                                                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                                4⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Checks processor information in registry
                                                                                                                                PID:2316
                                                                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                          "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          PID:2064
                                                                                                                          • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                            "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Loads dropped DLL
                                                                                                                            • Checks processor information in registry
                                                                                                                            PID:1324
                                                                                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1324.0.764708670\404874306" -parentBuildID 20220602050101 -prefsHandle 980 -prefMapHandle 972 -prefsLen 1 -prefMapSize 239150 -appdir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 1324 gpu
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2960
                                                                                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:772
                                                                                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                                4⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Checks processor information in registry
                                                                                                                                PID:1084
                                                                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                          "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          PID:2644
                                                                                                                          • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                            "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Loads dropped DLL
                                                                                                                            • Checks processor information in registry
                                                                                                                            PID:2628
                                                                                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2628.0.804700907\1208409997" -parentBuildID 20220602050101 -prefsHandle 988 -prefMapHandle 980 -prefsLen 1 -prefMapSize 239150 -appdir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 2628 gpu
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1064
                                                                                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1456
                                                                                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                                4⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Checks processor information in registry
                                                                                                                                PID:1016
                                                                                                                                • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                                  "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1016.0.332937747\1819585627" -parentBuildID 20220602050101 -prefsHandle 996 -prefMapHandle 988 -prefsLen 1 -prefMapSize 239150 -appdir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 1016 gpu
                                                                                                                                  5⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  PID:2876
                                                                                                                                • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                                  "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                                  5⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:2772
                                                                                                                        • C:\Windows\system32\taskmgr.exe
                                                                                                                          "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                          1⤵
                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                          PID:992
                                                                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                          "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Checks processor information in registry
                                                                                                                          PID:2460
                                                                                                                          • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                            "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2460.0.1984617553\1928746415" -parentBuildID 20220602050101 -prefsHandle 1008 -prefMapHandle 992 -prefsLen 1 -prefMapSize 239150 -appdir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 2460 gpu
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2336
                                                                                                                          • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                            "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2840
                                                                                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Checks processor information in registry
                                                                                                                              PID:1668
                                                                                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1668.0.429994733\205469630" -parentBuildID 20220602050101 -prefsHandle 976 -prefMapHandle 968 -prefsLen 1 -prefMapSize 239150 -appdir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 1668 gpu
                                                                                                                                4⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:1932
                                                                                                                        • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
                                                                                                                          1⤵
                                                                                                                            PID:1256

                                                                                                                          Network

                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                          Replay Monitor

                                                                                                                          Loading Replay Monitor...

                                                                                                                          Downloads

                                                                                                                          • memory/1016-521-0x00000000033E0000-0x000000000B70F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/1064-367-0x00000000029D0000-0x000000000ACFF000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/1084-356-0x00000000032D0000-0x000000000B5FF000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/1324-158-0x0000000003620000-0x000000000B94F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/1604-53-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            8KB

                                                                                                                            Download

                                                                                                                          • memory/1668-917-0x0000000003300000-0x000000000B62F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/1940-68-0x00000000035A0000-0x000000000B8CF000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/2316-69-0x00000000080B0000-0x00000000103DF000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/2336-755-0x0000000002A30000-0x000000000AD5F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/2460-715-0x0000000003280000-0x000000000B5AF000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/2628-313-0x0000000003370000-0x000000000B69F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/2876-547-0x0000000002A00000-0x000000000AD2F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download

                                                                                                                          • memory/2960-175-0x0000000002900000-0x000000000AC2F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            131.2MB

                                                                                                                            Download