blackcat | 65b331074f906c46057da085ffdd1d98b61632a3e996cd252d4548a5e4c6bb10

Resubmissions

29-12-2022 04:38

221229-e9sm5acd27 10

29-12-2022 04:35

10-11-2022 11:04

10-11-2022 11:03

10-11-2022 11:00

10-11-2022 10:58

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=HUUKVBCWb2JMHTEF8r450E4hcfSSg91ZDKYb5LVGTDmJ44rfxhy3cDI%2FlUcDrmUHKmFjDOh%2FL42bAi5VKwNd8PnaD8grquVIVC7tdS1Oh6A%2BA%2FYNC1rDSZ6rkvheBJnY9SxO94O%2BloadddVKpBicKmHw9jx29Nd%2BfXF4MiiCcP%2Bf8mXtv628HC5z2WV40PlrQ5YbqONBiCYgrM6Eci6th1TQ%2Fpd4hbCMVAhH%2FMaMVtQZ9745GRRmSUzPuPDHWm1UTvrIyPeluPq766Sb5DeozALBJTR%2FkHz6XwrTrw3fVprr0ycUGcsuWtKjcLTLiJGNB419wGdbjndaLAW9N%2FNL4w%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=HUUKVBCWb2JMHTEF8r450E4hcfSSg91ZDKYb5LVGTDmJ44rfxhy3cDI%2FlUcDrmUHKmFjDOh%2FL42bAi5VKwNd8PnaD8grquVIVC7tdS1Oh6A%2BA%2FYNC1rDSZ6rkvheBJnY9SxO94O%2BloadddVKpBicKmHw9jx29Nd%2BfXF4MiiCcP%2Bf8mXtv628HC5z2WV40PlrQ5YbqONBiCYgrM6Eci6th1TQ%2Fpd4hbCMVAhH%2FMaMVtQZ9745GRRmSUzPuPDHWm1UTvrIyPeluPq766Sb5DeozALBJTR%2FkHz6XwrTrw3fVprr0ycUGcsuWtKjcLTLiJGNB419wGdbjndaLAW9N%2FNL4w%3D%3D

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
816	alg.exe
3852	DiagnosticsHub.StandardCollector.Service.exe
296	fxssvc.exe
4808	elevation_service.exe

Modifies extensions of user files 19 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompleteResolve.tiff	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteResolve.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\ConvertToInvoke.png => C:\Users\Admin\Pictures\ConvertToInvoke.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\DebugEnable.crw => C:\Users\Admin\Pictures\DebugEnable.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\MeasureDeny.raw => C:\Users\Admin\Pictures\MeasureDeny.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureDeny.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\RestartAdd.crw => C:\Users\Admin\Pictures\RestartAdd.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\RestartAdd.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\SetWrite.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\UninstallRename.png => C:\Users\Admin\Pictures\UninstallRename.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallRename.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToInvoke.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\OutStop.raw => C:\Users\Admin\Pictures\OutStop.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\WaitShow.crw => C:\Users\Admin\Pictures\WaitShow.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\CompleteResolve.tiff => C:\Users\Admin\Pictures\CompleteResolve.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\DebugEnable.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\OutStop.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\SetWrite.crw => C:\Users\Admin\Pictures\SetWrite.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\WaitShow.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2629973501-4017243118-3254762364-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2629973501-4017243118-3254762364-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\F:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\plnmfkdm.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\SysWOW64\homgdblb.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\SysWOW64\kkepldqk.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\nhjfqaoc.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\eagdacjn.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\diagsvcs\fphddnbf.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\kpcogeae.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\pkhmpfkn.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\qoahlqql.tmp	alg.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	alg.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\domomlkc.tmp	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1236	4808	WerFault.exe	131

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4848	vssadmin.exe
3912	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallpaperStyle = "0"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
556	chrome.exe
556	chrome.exe
4192	chrome.exe
4192	chrome.exe
3836	chrome.exe
3836	chrome.exe
2436	chrome.exe
2436	chrome.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
1780	chrome.exe
1780	chrome.exe
816	alg.exe
816	alg.exe
1536	chrome.exe
1536	chrome.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
3468	chrome.exe
3468	chrome.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe
816	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4248	WMIC.exe
Token: SeSecurityPrivilege	4248	WMIC.exe
Token: SeTakeOwnershipPrivilege	4248	WMIC.exe
Token: SeLoadDriverPrivilege	4248	WMIC.exe
Token: SeSystemProfilePrivilege	4248	WMIC.exe
Token: SeSystemtimePrivilege	4248	WMIC.exe
Token: SeProfSingleProcessPrivilege	4248	WMIC.exe
Token: SeIncBasePriorityPrivilege	4248	WMIC.exe
Token: SeCreatePagefilePrivilege	4248	WMIC.exe
Token: SeBackupPrivilege	4248	WMIC.exe
Token: SeRestorePrivilege	4248	WMIC.exe
Token: SeShutdownPrivilege	4248	WMIC.exe
Token: SeDebugPrivilege	4248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4248	WMIC.exe
Token: SeRemoteShutdownPrivilege	4248	WMIC.exe
Token: SeUndockPrivilege	4248	WMIC.exe
Token: SeManageVolumePrivilege	4248	WMIC.exe
Token: 33	4248	WMIC.exe
Token: 34	4248	WMIC.exe
Token: 35	4248	WMIC.exe
Token: 36	4248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4248	WMIC.exe
Token: SeSecurityPrivilege	4248	WMIC.exe
Token: SeTakeOwnershipPrivilege	4248	WMIC.exe
Token: SeLoadDriverPrivilege	4248	WMIC.exe
Token: SeSystemProfilePrivilege	4248	WMIC.exe
Token: SeSystemtimePrivilege	4248	WMIC.exe
Token: SeProfSingleProcessPrivilege	4248	WMIC.exe
Token: SeIncBasePriorityPrivilege	4248	WMIC.exe
Token: SeCreatePagefilePrivilege	4248	WMIC.exe
Token: SeBackupPrivilege	4248	WMIC.exe
Token: SeRestorePrivilege	4248	WMIC.exe
Token: SeShutdownPrivilege	4248	WMIC.exe
Token: SeDebugPrivilege	4248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4248	WMIC.exe
Token: SeRemoteShutdownPrivilege	4248	WMIC.exe
Token: SeUndockPrivilege	4248	WMIC.exe
Token: SeManageVolumePrivilege	4248	WMIC.exe
Token: 33	4248	WMIC.exe
Token: 34	4248	WMIC.exe
Token: 35	4248	WMIC.exe
Token: 36	4248	WMIC.exe
Token: SeBackupPrivilege	1352	vssvc.exe
Token: SeRestorePrivilege	1352	vssvc.exe
Token: SeAuditPrivilege	1352	vssvc.exe
Token: SeTakeOwnershipPrivilege	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Token: SeAuditPrivilege	296	fxssvc.exe
Token: SeTakeOwnershipPrivilege	816	alg.exe
Token: SeBackupPrivilege	2164	vssvc.exe
Token: SeRestorePrivilege	2164	vssvc.exe
Token: SeAuditPrivilege	2164	vssvc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4360	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	77
PID 4736 wrote to memory of 4360	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	77
PID 4736 wrote to memory of 4360	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	77
PID 4360 wrote to memory of 4248	4360	cmd.exe	79
PID 4360 wrote to memory of 4248	4360	cmd.exe	79
PID 4360 wrote to memory of 4248	4360	cmd.exe	79
PID 4736 wrote to memory of 2632	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	81
PID 4736 wrote to memory of 2632	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	81
PID 4736 wrote to memory of 2632	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	81
PID 2632 wrote to memory of 2936	2632	cmd.exe	83
PID 2632 wrote to memory of 2936	2632	cmd.exe	83
PID 2632 wrote to memory of 2936	2632	cmd.exe	83
PID 4736 wrote to memory of 3104	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	84
PID 4736 wrote to memory of 3104	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	84
PID 4736 wrote to memory of 3104	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	84
PID 3104 wrote to memory of 4796	3104	cmd.exe	86
PID 3104 wrote to memory of 4796	3104	cmd.exe	86
PID 3104 wrote to memory of 4796	3104	cmd.exe	86
PID 4736 wrote to memory of 4328	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	87
PID 4736 wrote to memory of 4328	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	87
PID 4736 wrote to memory of 4324	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	88
PID 4736 wrote to memory of 4324	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	88
PID 4736 wrote to memory of 4324	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	88
PID 4328 wrote to memory of 4848	4328	cmd.exe	91
PID 4328 wrote to memory of 4848	4328	cmd.exe	91
PID 4324 wrote to memory of 1156	4324	cmd.exe	92
PID 4324 wrote to memory of 1156	4324	cmd.exe	92
PID 4324 wrote to memory of 1156	4324	cmd.exe	92
PID 4736 wrote to memory of 4052	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	94
PID 4736 wrote to memory of 4052	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	94
PID 4736 wrote to memory of 4052	4736	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	94
PID 4052 wrote to memory of 1908	4052	cmd.exe	96
PID 4052 wrote to memory of 1908	4052	cmd.exe	96
PID 4052 wrote to memory of 1908	4052	cmd.exe	96
PID 4192 wrote to memory of 1132	4192	chrome.exe	107
PID 4192 wrote to memory of 1132	4192	chrome.exe	107
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112
PID 4192 wrote to memory of 4776	4192	chrome.exe	112

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe -a 12345
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "wmic csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2L:1
    3⤵
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2R:1
    3⤵
    PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "arp -a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    PID:1908
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  PID:3960
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa06054f50,0x7ffa06054f60,0x7ffa06054f70
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2460 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1740,759866190982202748,13012137811211252919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
  2⤵
  PID:3836

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4808 -s 404
  2⤵
  - Program crash
  PID:1236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4808 -ip 4808
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.8MB

MD5
3462a49f413609f4ed52da88455b3b89

SHA1
0812f0b6bee425a7a408048e309cb85e3f88126a

SHA256
b852ca3aa9bf157333d7f6bf6fd74d61d4cd9f21e2786f1870fcf18ebcd97c79

SHA512
b2647cb6483db67c3c4009466ec91bbf8e3f1f75abc491802ecefcf7487f7440acbfbd0ab77fcd3e18b9919f53f273e9a01b2d310ee259e71cbc539d555fb499

Download Submit
C:\Users\Admin\Desktop\ClearSubmit.3g2.sykffle

Filesize
231KB

MD5
4a5d366e6c718a45d75a5102d255bf1d

SHA1
c4b2a51b603791e82da995f2cbcdbe76b95183a5

SHA256
c13636e1642b5e5fe7534754b0194db37e0ac8af3ee110f927c9137dccfb429e

SHA512
b0231ddb1b0bd54f4f5baf8bb2cc18512a6504aeea2b30c521d7c708c94d7ef703fb38026b1356b796775231d448c7b235aaf5973f3828d169ed282228e50085

Download Submit
C:\Users\Admin\Desktop\CompressComplete.WTV.sykffle

Filesize
319KB

MD5
e9a894d16e7e83dae0d7a49fb0b8ddb0

SHA1
79b6561cad37a74862f38f0e8073eec5168f1bfa

SHA256
10d1390d082a1613d057d56fbc31f63137db588a66e787df568f894869899d19

SHA512
7f39b9690f56559a222c4731dfd6a73ecb16b42c0f5a0ef4e01a28313c9c543081b48b5e84587e3b6f4fde42c310686c7dcd62198c783772e855560c48e114f6

Download Submit
C:\Users\Admin\Desktop\EnterConfirm.svgz.sykffle

Filesize
133KB

MD5
a966083938fa8296478346cd4384b73c

SHA1
d964b495b4e68530bb4b99cdd8713a5650cd9590

SHA256
0d3a4916cdfce6f01a2403b8730315eb8f8fd683fbfa3b29c2edf0f20f41fa51

SHA512
3b6b68570f43d2e96ee6535e08372455c74405f831f008b62ff18c85dcc9d6b028819ef02ec3ea665053f6a4edc5ce8a3f749f630aa0a077e1a6276021e24ee9

Download Submit
C:\Users\Admin\Desktop\ExitSearch.mp2.sykffle

Filesize
369KB

MD5
00a3e4e05657e2e0cec5299548390cba

SHA1
43d6a7c813b7ed0f7a2d0c68d2bbd5abb87c8841

SHA256
1a13ffbb3e6d9ec73b0eed4c617da0fc0de28a6fddf5f1fb351f7a704b99b5c0

SHA512
e3e90019878c703f82a4cf02702eefb652053d8a083fdb150d5fc65cdbcde7483d2f334d2e96f3043afa2d04e79754b86df90c115c18da713fe95350d52bff83

Download Submit
C:\Users\Admin\Desktop\GrantDisable.ods.sykffle

Filesize
211KB

MD5
9e060813ba2291d8562356bf1372f2bd

SHA1
e2f8ea134a26ed936c407894f93a8f93686477d9

SHA256
0aba838e78224c2e5da96647b74d2d05c13fb2c1a255e2e3693015941c6e3266

SHA512
7e0dbf6857ffaea444d22f8e75ec1814d464ff22217fb6f176913b8762b9a99807a7810f064914eee671ff6f1c673804e11b6c687e8c4c6ed385c2359c7768fa

Download Submit
C:\Users\Admin\Desktop\InvokeEnable.txt.sykffle

Filesize
172KB

MD5
c2cc221a8e27dc419990ceba78f3ad46

SHA1
08883cde3c0fe4b67c69ac9ab8f9dd308710145b

SHA256
6788385fd52345a288a4fd2cd882a3e53cedc2abf36df673b95aa0c258cacbe3

SHA512
d2ed65cb0acb96d522796d7aadab52f2737440bd14e31a851166eb55dcb8608e5804e4683bed63fd2402f646da6a7179a9ce159e2514208a3ce2dc58ed37d774

Download Submit
C:\Users\Admin\Desktop\InvokeRestore.ADT.sykffle

Filesize
241KB

MD5
5d1b0c17a1d48d4aa530e68aaba7324e

SHA1
c64b6810486d64feb924b642d029b698abd5c302

SHA256
a62edd81d2d0aa9954a133732f987c5b2f0b39ead85345573a23769422cf5fbe

SHA512
bd58096236623eded73a2c5e9ca513702877ab48abf8d83a8d70cad6230274fdddf1d596713b14848b784d4ff716ce8c758a9cd5261e81b055427295d591e8a1

Download Submit
C:\Users\Admin\Desktop\JoinApprove.ADT.sykffle

Filesize
349KB

MD5
44159bcfe62013195d789a5a909a0ac9

SHA1
621bd9a4654df35b2944e24d1d7794050d774506

SHA256
fd0a6789db9e7948d140c96c180e9675935aa8af73f783c64824f1ad1043020b

SHA512
77b2075ca5e9ac3296cc72732e12c99ffcf0fb708ffd26b1b2db8ae46872aed862e6d2f59ce696234cd005aed84c0101616a201ffe919eb9fd26c43347f296dc

Download Submit
C:\Users\Admin\Desktop\LimitReset.dot.sykffle

Filesize
201KB

MD5
e0722b72fe379b443750035a0f9338fb

SHA1
746eff97b32a9bd736b47852c2faa3c9b1ae9cb4

SHA256
70e6f7d22f8ffee9935aa4b914d608a4225ee3eaedb41906649cda7fb05bf0ca

SHA512
80f32bca76f50acfcc18b74c68805f9b6300b5968d3282a9b9bb16efc4bfecf5ba61f62296ee2def6319022406f3c76f48d0b42265ac4229b04f070588e12369

Download Submit
C:\Users\Admin\Desktop\LockSkip.mp3.sykffle

Filesize
192KB

MD5
06bfc1767d998ccaad6cb98f63cc1a60

SHA1
db61b243697b9494fef24caca683c5ddf7217c1a

SHA256
7a18b778741cd2d4087faddc2dbc346cd50bcfe4f3dd5a41cea4b20558230bb1

SHA512
8a1d950f42268e09216a2d363c9a4223961b5410494428f177d0c7eec152073d6a2e6609b70f49d1a46fdb6e42e0f90e37cfbead599295457070f483eb380b9f

Download Submit
C:\Users\Admin\Desktop\PushSend.mht.sykffle

Filesize
310KB

MD5
0b254cef1e297656d3194e83a827ee24

SHA1
df3ab0090741a71787f04cf8fdb6b84bc6512906

SHA256
ffe5b724aa02f9f45a06506fa6ca6faa15384c8eb47679885f8a25db74fa610c

SHA512
085d5f8d27a7ad9b55ea3493efc5da14bd18a09224842f13f5075c1ff2834d7fd9fcfaaf191352a5515add15c504f54fc075c12471c0a106391cd265fd17035d

Download Submit
C:\Users\Admin\Desktop\RECOVER-sykffle-FILES.txt

Filesize
1KB

MD5
ed1de1ea1b88e9d80930ad908e6793b7

SHA1
fce36bbedf73f5b6a83eee62547e6b5be887b43b

SHA256
ab4791ed39df4fb80bd44b6c107afaac2ab9d47b113c6298de02dbf5f3fac644

SHA512
79b8a876c3290576190bec367237fe4f90e55a1d04a7f71b07dc636a908ee03f666fc26b0b26806e8f268008ced59962f0c2ed887c67699f79a0d9e892e272a8

Download Submit
C:\Users\Admin\Desktop\RECOVER-sykffle-FILES.txt.png

Filesize
3KB

MD5
ec07ab4d75267d39784da0611b8d26d0

SHA1
3dd155942a4993a7887b0d70e033b3f3a9e5653a

SHA256
b61e68e4ded886db073e2e35ef51b6cf09de3ed4c3413e7dc8077b200f89e26c

SHA512
7d36b50ca2992e0ea0ad7211cde1bc52d1b981dd87a4fcd6743a3037e91ac46e456889b6e8eec6d452374e00bd0e7664a4c0fbf895f99dfabb5ba166d7a8fe01

Download Submit
C:\Users\Admin\Desktop\ReadJoin.docm.sykffle

Filesize
290KB

MD5
cd7fe0d267602f7c05bac9a0c47e6346

SHA1
13187911ff940a92fdb287c4ae3ffe104784d40e

SHA256
3d8723cacca9f22672c5804d0df566b19b369cc28ba759f7820044526ac433f7

SHA512
df6a34d62348e726764ed4def405e887efb026a58979887ca1bb2b4f8c1a6b3595fd2064acad57896309802ba2baac2258646a39ba4fcb2b0acaa4eca0b2bd13

Download Submit
C:\Users\Admin\Desktop\RemoveLock.mhtml.sykffle

Filesize
521KB

MD5
3a4d3b5ad0b5a22209a8eb9903585a2b

SHA1
780643ff8e71be43cf2e45edaed74c3a109adb41

SHA256
a8303d59a06dec81fe1f569354e2b38e9a04af7f531f160f25a0d36edca5c2d2

SHA512
75ddc851a0ccd3a0ea1e93838fcf90e484afc41999a87d169080fe88e4dc127c40faeb4e3b2b9dd0d7611bfbac461015ac5078007690e18871d826e6ad9c449d

Download Submit
C:\Users\Admin\Desktop\ResizeEnter.reg.sykffle

Filesize
152KB

MD5
3807d9f37b220e122ff6d88aadbecff1

SHA1
ead812f584cf8d45a5cb8d51cd2a62d03a827506

SHA256
fab18bcd6955c228daef9c0dfe6fd69de1060746fef6dcb23668421df560cbe8

SHA512
b0cf00d7f4c9ceedb349819f54c375fccadbc173f39880a6ca8c59d1cda35f12ef3f3bc302727fffab9b230f6fd2c3529b6b02a19067e41ba73a40b37c613e47

Download Submit
C:\Users\Admin\Desktop\SearchDebug.aiff.sykffle

Filesize
300KB

MD5
5f9c0c9b6869aecbf3111bff43c99817

SHA1
6fda0d0b29a347188bffb2770dd200008eab125a

SHA256
7573403c79b64ddeae5b7c12247e658d0a05af50a69a6192f46ff1e470e0bf04

SHA512
42f29db9140218106226c12ad1c2e02cb26ce535deea981ad443e592659f7c95c21a37610446ba991917a8382b6b877ff67657e36c84490e5c302e0c2b2a222a

Download Submit
C:\Users\Admin\Desktop\SetRedo.cr2.sykffle

Filesize
339KB

MD5
8e133db1b0430240214fac5147b1c164

SHA1
a2317a2efc1505520757ed23bd60e1614f0fea34

SHA256
9e71713c26e0ecc8615cff32fead5d0075e57a7b1a9dda9345a29c6ddf622f4a

SHA512
6f4033c22521f5f6b6ba86fc0053312887908e8905486b3a94e92923204796a6d91925bfe3e710daf85362fb1a152f0d54d0ac27ccf03752de6b13580ed11ec4

Download Submit
C:\Users\Admin\Desktop\StepSuspend.xlsx.sykffle

Filesize
260KB

MD5
be629fe7ee53600857f576f2c35e9e0e

SHA1
9e51517d13fab17dbe922f5f134bf73028699f48

SHA256
6c32d62c7ef9b4a2b9a5bc809675b0c68113fc0d4b012f2c49c97cf65946acb2

SHA512
c5731494cc747ad7b19fbf0b578a9d612eb90fb417f8d86e4434e810bc191f3254ae9bfce958733560c2afa127503f106f25b7498084eabd7c041cdbdaa007cc

Download Submit
C:\Users\Admin\Desktop\StopClear.m1v.sykffle

Filesize
182KB

MD5
f2d9522adb94ca301890e5d3d4c6eb6b

SHA1
4b7314c9c9fe5267e302f5dc9df18e6e4d255cc0

SHA256
513111f3a9d3fa4b86873d8c144d367338391d26ce077413eac7d48436f8fe73

SHA512
5226ba408a0d16281ebe4d1bbf41ed409f526428f10f5e42d66d28c7a0819da7d063fcf9672f83d804bd197721427e43ee951699ab02c99539bd6c2592663f50

Download Submit
C:\Users\Admin\Desktop\SuspendDismount.vssm.sykffle

Filesize
359KB

MD5
693b410c67d084beedd42696ff85c066

SHA1
8278a6f752e4a9130ce9e5ae90882254fbbc5ce7

SHA256
8a019d2785b75628469348046121c1b68a70e8623d5982b457d10a51e3097356

SHA512
0173bf470cd5ea12458b8ab04b3db252208c5d665a54a65647f9a1448d30bbc03459b7ca96015438703b4e74066efca92fb5277565725a1aed694d54e6cf7259

Download Submit
C:\Users\Admin\Desktop\UnlockSelect.otf.sykffle

Filesize
221KB

MD5
edf37b26b5a878ba1b3d447c3e839e68

SHA1
e1f8e5256f86c97f3382ba0340e57fee806b6ecc

SHA256
de7d62fab2b07db5863cb2c96f1fad5f05a45752a4b0b8fa77a9d4765d981820

SHA512
9a81158ff60f2f0a1e8e5a078967554549241dc3219554be1248926b1c5e3c4d266e99a08009a48b1e145c840db262ee43f9ad7c3ebebed77979440b6a8089c6

Download Submit
C:\Users\Admin\Desktop\UnprotectSave.aiff.sykffle

Filesize
162KB

MD5
87bd2edd4de8bddc788fa1a36183b4cc

SHA1
3b1ffe349669520bce77d0b5f6c1e717f76c0492

SHA256
ac5bf5132b78326c40ca4bc6230b68612df3f01e2028ad7ca5fbd4b19ec03fb2

SHA512
a984cbe48227b77741e4d04492f3d5a1a24e28182a7fdd2fc4b699fcd10de31670f2abb1c4f2bfad69d96c08bcfb096017731043a980ea8471d25284aa9e06af

Download Submit
C:\Users\Admin\Desktop\WatchStart.bmp.sykffle

Filesize
251KB

MD5
752b038a075e9c36f95b79d091f4a102

SHA1
129ab3ac6d7ba1bb37b8a54b3bc32fe77b6a9023

SHA256
c01825b42073c4fbf7fc7f6b8d14035e7f653205283e9b60975b0e37bf16c0d1

SHA512
19da648ba694c2ff9c393987910cc208008ed2a195767ce7ba2d5136b8217e4a370f4cb0f9fb02e0965a2bb8d1b4ed0134ff4264ee91eb221759821e732679f6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
c07813b80bd2df897743adca7f90d8ac

SHA1
c12a277944728835599abe9cd57633950662120f

SHA256
bdb13ac91352364a088d590fcc4c060afb97b0d32b77172ab81c6fbc2852244b

SHA512
59b948486505041378eeb7198b3296f51bd5d901d1c61f23f9df567947b64fe09b05bf31a4cd284d6733c1bae01fd643de08e861806eefb801c2554bb926aecc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
c8044090498052289700827c65c9332b

SHA1
2f8c27607d11da1a63539d7f4093cf6167a7a2c6

SHA256
767dde3d1b3d5b76168179ac3741465f13d2fd852b3c59f3e23c27657e0a9d4f

SHA512
d6c36a3b989a3278d36a82d3a0e6e7e062a358032f1e0cbad4146751a8536a3cc2b34431397f2d3428c5d61464d47bacff88f8005441ba2102d276c52fb6ae44

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
52c79ad82b97df451003c74b730d5af2

SHA1
0b5f90ffb82df6bd072098d65a58285d80612a39

SHA256
79fdbd8691918931810b0f45576d4f29028babadcc15b671c51681a3c9eff6a9

SHA512
f7cbd9ae2d247488b04448b953173d9dccb19e6a5d492cd9221dcd78a8c5e25b17ebc7007bbbc0495f16b9387c42b419daf88d14030f38372be8687c1f9a5052

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
28748e83bfd08dbbb0ba2c8d81837461

SHA1
3b76f0a0ed2c12c86811d96240412343f3e5f228

SHA256
c8f7545257edc0d02e1c4dc8cc4a5fa82049a72dab0754dbc43604dfa77b0dca

SHA512
c6848ad8105c489bc63f0af8d483e374b44ecc554622a098106235d55143c9a24e1d3dc833e041515395d8c16071c35a89ea40ef2709f5d727d6c80764b374ef

Download Submit
memory/296-157-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/296-154-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/816-159-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/816-155-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/816-149-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/3852-151-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3852-163-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4736-162-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4736-146-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4736-147-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4736-134-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4736-133-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download