Malware Analysis Report

2024-10-16 03:30

Sample ID 220426-c9me1aagd5
Target f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.zip
SHA256 0c1f2f914e5b512df229ffea8a27078ddcf992eb175fc05d02aa3bc3fe29a932
Tags
darkside ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c1f2f914e5b512df229ffea8a27078ddcf992eb175fc05d02aa3bc3fe29a932

Threat Level: Known bad

The file f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.zip was found to be: Known bad.

Malicious Activity Summary

darkside ransomware

DarkSide

Modifies extensions of user files

Sets desktop wallpaper using registry

Drops file in System32 directory

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies Control Panel

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-26 02:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-26 02:46

Reported

2022-04-26 02:49

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CheckpointExport.tif => C:\Users\Admin\Pictures\CheckpointExport.tif.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\EditStart.tif.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeProtect.png => C:\Users\Admin\Pictures\InvokeProtect.png.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectSwitch.png.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\StartCompare.tiff C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File renamed C:\Users\Admin\Pictures\UseRequest.tiff => C:\Users\Admin\Pictures\UseRequest.tiff.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\SendSuspend.tiff C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\SendSuspend.tiff.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseRequest.tiff C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File renamed C:\Users\Admin\Pictures\StartCompare.tiff => C:\Users\Admin\Pictures\StartCompare.tiff.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointExport.tif.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File renamed C:\Users\Admin\Pictures\EditStart.tif => C:\Users\Admin\Pictures\EditStart.tif.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokeProtect.png.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File renamed C:\Users\Admin\Pictures\SelectSwitch.png => C:\Users\Admin\Pictures\SelectSwitch.png.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File renamed C:\Users\Admin\Pictures\SendSuspend.tiff => C:\Users\Admin\Pictures\SendSuspend.tiff.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\StartCompare.tiff.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseRequest.tiff.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\32BEF7445D3877840B9278005FC36591 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9F909B7BD589CDDA5B1BBEF5FBC3017E C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9F909B7BD589CDDA5B1BBEF5FBC3017E C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\32BEF7445D3877840B9278005FC36591 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\e8d35568.BMP" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 040100008df98eb12859d801 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 0814770b086a0f006537e73b226e19fe6c80962f63ea6015225ba4b8d099d43a C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3f76ed7eaf56021595853d0d634df3e7a030d606fa67f47eee4f55df00c5bb02 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 775ae0f363f57b2ab3a2445342df3efb9beb444cd9cf3e1fcab02b86dda4348b C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1102e550173afcd999c00d0895dec1f849118d13ab949e792689110f1f59878f C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = cc6b43771479fe494ce2c0d59001496c0fcd3c4bb91902bb27bb668b3a5455fe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 15a39bd91032a6c2255e3d4c23d5643a2278c30bfa1047ce6ae6d62aea8c85ba C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\e8d35568.BMP" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8a29e91ff2f09743cb1233f105eb7c2d786c26c157f4c62641e030fd316f6b89 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\International C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 9fa71aff4b5b5bc04b7460dde9adebbdef87d755aa7ba8a97dccf21a70933fbe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 92690a7bb4b84b9bb836fe708ee200a1ff037633c21239e0b70e5ed447f6286e C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d41800067181970fcb0a6beef7d74133f4ca358637c3bc872ede39d675d20d10 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.e8d35568\ = "e8d35568" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e8d35568\DefaultIcon C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e8d35568 C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\e8d35568\DefaultIcon\ = "C:\\ProgramData\\e8d35568.ico" C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
PID 2060 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
PID 2060 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
PID 2060 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
PID 4844 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
PID 4844 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
PID 4844 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
PID 3428 wrote to memory of 3452 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 3428 wrote to memory of 3452 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 3984 wrote to memory of 3744 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 3984 wrote to memory of 3744 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 2792 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3236 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 4828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 4828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2792 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

"C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe"

C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

"C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe"

C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

"C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe -work worker0 job0-4844

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UninstallUnpublish.bin

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterLock.wmf.e8d35568

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd52174f50,0x7ffd52174f60,0x7ffd52174f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1848 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9151600240862948712,2226229098787425149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 baroquetees.com udp
US 103.224.182.242:443 baroquetees.com tcp
US 8.8.8.8:53 ww25.baroquetees.com udp
US 199.59.243.200:80 ww25.baroquetees.com tcp
US 8.8.8.8:53 rumahsia.com udp
NL 37.48.65.152:443 rumahsia.com tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.200:80 survey-smiles.com tcp
US 103.224.182.242:443 baroquetees.com tcp
US 199.59.243.200:80 survey-smiles.com tcp
NL 37.48.65.152:443 rumahsia.com tcp
US 199.59.243.200:80 survey-smiles.com tcp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
GB 173.222.211.107:80 tcp
GB 173.222.211.107:80 tcp
IE 13.69.239.72:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
NL 104.123.41.162:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.251.36.46:443 clients2.google.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 172.217.168.206:80 redirector.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigzrney.gvt1.com udp
GB 74.125.4.215:80 r1---sn-aigzrney.gvt1.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.251.39.110:443 apis.google.com tcp
NL 142.251.36.1:443 clients2.googleusercontent.com udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
NL 142.251.39.99:443 ssl.gstatic.com tcp

Files

memory/4844-130-0x0000000000000000-mapping.dmp

memory/260-131-0x0000000000000000-mapping.dmp

memory/3452-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\UnregisterLock.wmf.e8d35568

MD5 d7e4d1d5b47f1e4097c671f41aa42cf8
SHA1 07cfe081a8abfd84794b252974f0c0e7b34e3683
SHA256 b42e375fcdc259201ecdb59e2c3e2665779ae934eea7dde1d93411752eb6892f
SHA512 94c9ff8024512b05602a3d50469389c946f9d0e175f013c79b9e3b4b695c7873f742e990b91542ef1c8512d2059b74d3bb169c5dfef639e00b7fb3870c9700ec

memory/3744-134-0x0000000000000000-mapping.dmp

\??\pipe\crashpad_2792_YLSPNQBRODBXDCVD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e