Analysis

  • max time kernel
    568s
  • max time network
    506s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2022 15:40

General

  • Target

    windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

  • Size

    884KB

  • MD5

    da13022097518d123a91a3958be326da

  • SHA1

    24a71ab462594d5a159bbf176588af951aba1381

  • SHA256

    25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

  • SHA512

    a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f

  • SSDEEP

    12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

Malware Config

Extracted

Path

C:\EGdu_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data or to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: jxkdVr8zZs5J Password: GHTM6Qgqyhqs4nMH53ZD To get access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.uj1ps files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Clears Windows event logs 1 TTPs 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 5 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
    "C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
          PID:3184
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "SDRSVC" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "SDRSVC" /y
          3⤵
            PID:3856
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "SstpSvc" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4808
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "SstpSvc" /y
            3⤵
              PID:4092
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "vmicvss" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3100
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "vmicvss" /y
              3⤵
                PID:3996
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "VSS" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4084
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "VSS" /y
                3⤵
                  PID:3428
              • C:\Windows\SysWOW64\net.exe
                net.exe stop "wbengine" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1560
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "wbengine" /y
                  3⤵
                    PID:1496
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "WebClient" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3264
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "WebClient" /y
                    3⤵
                      PID:3404
                  • C:\Windows\SysWOW64\net.exe
                    net.exe stop "UnistoreSvc_1a529" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3396
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "UnistoreSvc_1a529" /y
                      3⤵
                        PID:3684
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "SamSs" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1536
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "SDRSVC" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:3528
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "SstpSvc" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:4228
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "vmicvss" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:4828
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "VSS" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:4584
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "wbengine" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1184
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "WebClient" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:4744
                    • C:\Windows\SysWOW64\sc.exe
                      sc.exe config "UnistoreSvc_1a529" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:2184
                    • C:\Windows\SysWOW64\reg.exe
                      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                      2⤵
                        PID:1324
                      • C:\Windows\SysWOW64\reg.exe
                        reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                        2⤵
                          PID:4940
                        • C:\Windows\SysWOW64\reg.exe
                          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                          2⤵
                            PID:5076
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                            2⤵
                              PID:2592
                            • C:\Windows\SysWOW64\reg.exe
                              reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                              2⤵
                                PID:4212
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:508
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1928
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:2444
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:2008
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:3604
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                2⤵
                                  PID:4964
                                • C:\Windows\SysWOW64\reg.exe
                                  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                  2⤵
                                    PID:2956
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                    2⤵
                                      PID:4948
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
                                      2⤵
                                        PID:3868
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                        2⤵
                                          PID:2440
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                          2⤵
                                            PID:3404
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                            2⤵
                                              PID:2136
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                              2⤵
                                                PID:4108
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                2⤵
                                                  PID:5112
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                  2⤵
                                                    PID:2004
                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                    schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                    2⤵
                                                      PID:3776
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
                                                      2⤵
                                                        PID:1188
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
                                                        2⤵
                                                          PID:408
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
                                                          2⤵
                                                            PID:2820
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                            2⤵
                                                              PID:2644
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                              2⤵
                                                                PID:4924
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                2⤵
                                                                  PID:1896
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                  2⤵
                                                                    PID:4880
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                    2⤵
                                                                      PID:4960
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                      2⤵
                                                                        PID:1028
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                        2⤵
                                                                          PID:4132
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                          • Modifies security service
                                                                          PID:1572
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                            PID:1812
                                                                          • C:\Windows\SysWOW64\wevtutil.exe
                                                                            wevtutil.exe cl system
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4324
                                                                          • C:\Windows\SysWOW64\wevtutil.exe
                                                                            wevtutil.exe cl security
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1284
                                                                          • C:\Windows\SysWOW64\wevtutil.exe
                                                                            wevtutil.exe cl application
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:368
                                                                          • C:\Windows\SysWOW64\Wbem\wmic.exe
                                                                            wmic.exe SHADOWCOPY /nointeractive
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3988
                                                                          • C:\Windows\SysWOW64\Wbem\wmic.exe
                                                                            wmic.exe shadowcopy delete
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2144
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                            2⤵
                                                                              PID:1308
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
                                                                              2⤵
                                                                                PID:3912
                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell Set-MpPreference -DisableIOAVProtection $true
                                                                                  3⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:3464
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                2⤵
                                                                                  PID:220
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                    3⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:3020
                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                  notepad.exe C:\EGdu_HOW_TO_DECRYPT.txt
                                                                                  2⤵
                                                                                  • Opens file in notepad (likely ransom note)
                                                                                  PID:4732
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
                                                                                  2⤵
                                                                                    PID:4568
                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                      ping.exe -n 5 127.0.0.1
                                                                                      3⤵
                                                                                      • Runs ping.exe
                                                                                      PID:4696
                                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\EGdu_HOW_TO_DECRYPT.txt
                                                                                  1⤵
                                                                                  • Opens file in notepad (likely ransom note)
                                                                                  PID:3704
                                                                                • C:\Windows\system32\taskmgr.exe
                                                                                  "C:\Windows\system32\taskmgr.exe" /4
                                                                                  1⤵
                                                                                  • Checks SCSI registry key(s)
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:2332
                                                                                • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
                                                                                  1⤵
                                                                                    PID:2236
                                                                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
                                                                                      OfficeC2RClient.exe /error PID=2236 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
                                                                                      2⤵
                                                                                      • Process spawned unexpected child process
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:3148
                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                    1⤵
                                                                                      PID:724
                                                                                    • C:\Windows\system32\OpenWith.exe
                                                                                      C:\Windows\system32\OpenWith.exe -Embedding
                                                                                      1⤵
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:4204
                                                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\odt\config.xml.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2eqxSmyZJzKLvhvcOgAU3h3.uj1ps
                                                                                        2⤵
                                                                                        • Opens file in notepad (likely ransom note)
                                                                                        PID:3672
                                                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\odt\EGdu_HOW_TO_DECRYPT.txt
                                                                                      1⤵
                                                                                      • Opens file in notepad (likely ransom note)
                                                                                      PID:1716
                                                                                    • C:\Windows\system32\taskmgr.exe
                                                                                      "C:\Windows\system32\taskmgr.exe" /4
                                                                                      1⤵
                                                                                      • Checks SCSI registry key(s)
                                                                                      • Checks processor information in registry
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                      • Suspicious use of SendNotifyMessage
                                                                                      PID:4040
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                      1⤵
                                                                                      • Enumerates system info in registry
                                                                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                      PID:3700
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc96f74f50,0x7ffc96f74f60,0x7ffc96f74f70
                                                                                        2⤵
                                                                                          PID:4264
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
                                                                                          2⤵
                                                                                            PID:2260
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2044 /prefetch:8
                                                                                            2⤵
                                                                                              PID:3716
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
                                                                                              2⤵
                                                                                                PID:2604
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:4812
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
                                                                                                  2⤵
                                                                                                    PID:4804
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
                                                                                                    2⤵
                                                                                                      PID:3336
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
                                                                                                      2⤵
                                                                                                        PID:3284
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:8
                                                                                                        2⤵
                                                                                                          PID:2112
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
                                                                                                          2⤵
                                                                                                            PID:548
                                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                          1⤵
                                                                                                            PID:4488
                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 424 -p 3012 -ip 3012
                                                                                                            1⤵
                                                                                                              PID:3476
                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                              C:\Windows\system32\WerFault.exe -u -p 3012 -s 2920
                                                                                                              1⤵
                                                                                                              • Program crash
                                                                                                              PID:996
                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                              1⤵
                                                                                                              • Modifies registry class
                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:4008
                                                                                                              • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                "C:\Windows\system32\NOTEPAD.EXE" C:\odt\config.xml.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2eqxSmyZJzKLvhvcOgAU3h3.uj1ps
                                                                                                                2⤵
                                                                                                                • Opens file in notepad (likely ransom note)
                                                                                                                PID:4968
                                                                                                            • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                              "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
                                                                                                              1⤵
                                                                                                                PID:3204
                                                                                                                • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
                                                                                                                  OfficeC2RClient.exe /error PID=3204 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
                                                                                                                  2⤵
                                                                                                                  • Process spawned unexpected child process
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:4816

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • C:\EGdu_HOW_TO_DECRYPT.txt

                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                4e68cfad3f3cbef5406c90fd9e9d7931

                                                                                                                SHA1

                                                                                                                504d53957bbed8e1a612c791eec7abdd17bd15bc

                                                                                                                SHA256

                                                                                                                51dc299391f9b3eca411936a0d01781ad68799d282655e0d20c8c8521aa8e014

                                                                                                                SHA512

                                                                                                                78c89847c3a7c128e5d54c3fff0e41c89a61722730b9d02d9c7e0b6985ce8188c3c37b6357a71c30f7e34c8b78f94599a186be6c189e56f6ccb832033e77172a

                                                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                MD5

                                                                                                                d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                SHA1

                                                                                                                2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                SHA256

                                                                                                                b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                SHA512

                                                                                                                c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                                                                Filesize

                                                                                                                4B

                                                                                                                MD5

                                                                                                                f49655f856acb8884cc0ace29216f511

                                                                                                                SHA1

                                                                                                                cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                SHA256

                                                                                                                7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                SHA512

                                                                                                                599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                                                                                                                Filesize

                                                                                                                944B

                                                                                                                MD5

                                                                                                                6bd369f7c74a28194c991ed1404da30f

                                                                                                                SHA1

                                                                                                                0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                SHA256

                                                                                                                878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                SHA512

                                                                                                                8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                968cb9309758126772781b83adb8a28f

                                                                                                                SHA1

                                                                                                                8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                                                                                SHA256

                                                                                                                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                                                                                SHA512

                                                                                                                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml

                                                                                                                Filesize

                                                                                                                97KB

                                                                                                                MD5

                                                                                                                b5f9de02e0d3b909bba32d4c29449e8e

                                                                                                                SHA1

                                                                                                                af14db9dc20f5fdfa51b69c25045295ca104bc13

                                                                                                                SHA256

                                                                                                                37f395557650b4cf0bf46721bede87af5b759952de35c63ca8509dc68a5c8f15

                                                                                                                SHA512

                                                                                                                1b131741d427cb147f7ac09fd03237f05ca4e1317fe4dbfd4564eb8a71d886a840e267adc3689c98ee15e7321ea0c547fabc85d6d6f1970236db214832fe62e8

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db

                                                                                                                Filesize

                                                                                                                24KB

                                                                                                                MD5

                                                                                                                a6064fc9ce640751e063d9af443990da

                                                                                                                SHA1

                                                                                                                367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

                                                                                                                SHA256

                                                                                                                5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

                                                                                                                SHA512

                                                                                                                0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Filesize

                                                                                                                18KB

                                                                                                                MD5

                                                                                                                2b1280525223d429609fbe4da77a8d1c

                                                                                                                SHA1

                                                                                                                6f6d009c6270e0a107f609d0de4bbd5a86ae6b47

                                                                                                                SHA256

                                                                                                                e6df05fec03d814b59604816e16027b9b5f2b1a2d17c8dd5276eda9ed914186c

                                                                                                                SHA512

                                                                                                                20e17307d389d002bcc7555a0e3dcdff530b120091cce8e3cf2823d0613495703f4fcf7726d7947648f8e09fbaeb3187d6543b814d8af8115fb9a473147e92db

                                                                                                              • C:\odt\EGdu_HOW_TO_DECRYPT.txt

                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                4e68cfad3f3cbef5406c90fd9e9d7931

                                                                                                                SHA1

                                                                                                                504d53957bbed8e1a612c791eec7abdd17bd15bc

                                                                                                                SHA256

                                                                                                                51dc299391f9b3eca411936a0d01781ad68799d282655e0d20c8c8521aa8e014

                                                                                                                SHA512

                                                                                                                78c89847c3a7c128e5d54c3fff0e41c89a61722730b9d02d9c7e0b6985ce8188c3c37b6357a71c30f7e34c8b78f94599a186be6c189e56f6ccb832033e77172a

                                                                                                              • C:\odt\config.xml.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2eqxSmyZJzKLvhvcOgAU3h3.uj1ps

                                                                                                                Filesize

                                                                                                                688B

                                                                                                                MD5

                                                                                                                f062848d9ab634339d6322ff8ea96529

                                                                                                                SHA1

                                                                                                                22bd4f28f87d327f9a7cecb940f37dbfbe2ac2fe

                                                                                                                SHA256

                                                                                                                983c08f4586debbc1f8e2f5a35e5a25b857cf7084f25b0c1222eaa9d13d18731

                                                                                                                SHA512

                                                                                                                ef6b8aad7617ddf14b75a161dd058a723aa50625fed40ecaff4cfb314aa09d19ba1e7e32afeb1df3bc9bf1996bac50df7e646f5b7cdf336e602f7746e5a05835

                                                                                                              • memory/3020-216-0x00000000750A0000-0x00000000750EC000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/3464-201-0x00000000059B0000-0x0000000005A16000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/3464-207-0x0000000008120000-0x000000000879A000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.5MB

                                                                                                              • memory/3464-199-0x0000000005B30000-0x0000000006158000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.2MB

                                                                                                              • memory/3464-213-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                              • memory/3464-212-0x0000000007E10000-0x0000000007E2A000-memory.dmp

                                                                                                                Filesize

                                                                                                                104KB

                                                                                                              • memory/3464-211-0x0000000007D00000-0x0000000007D0E000-memory.dmp

                                                                                                                Filesize

                                                                                                                56KB

                                                                                                              • memory/3464-210-0x0000000007D50000-0x0000000007DE6000-memory.dmp

                                                                                                                Filesize

                                                                                                                600KB

                                                                                                              • memory/3464-209-0x0000000007B50000-0x0000000007B5A000-memory.dmp

                                                                                                                Filesize

                                                                                                                40KB

                                                                                                              • memory/3464-208-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

                                                                                                                Filesize

                                                                                                                104KB

                                                                                                              • memory/3464-198-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

                                                                                                                Filesize

                                                                                                                216KB

                                                                                                              • memory/3464-206-0x0000000006D70000-0x0000000006D8E000-memory.dmp

                                                                                                                Filesize

                                                                                                                120KB

                                                                                                              • memory/3464-205-0x00000000750A0000-0x00000000750EC000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/3464-204-0x0000000006DC0000-0x0000000006DF2000-memory.dmp

                                                                                                                Filesize

                                                                                                                200KB

                                                                                                              • memory/3464-203-0x00000000067D0000-0x00000000067EE000-memory.dmp

                                                                                                                Filesize

                                                                                                                120KB

                                                                                                              • memory/3464-202-0x0000000005A90000-0x0000000005AF6000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/3464-200-0x0000000005800000-0x0000000005822000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                              • memory/5060-132-0x0000000000A20000-0x0000000000D32000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.1MB

                                                                                                              • memory/5060-224-0x0000000000A20000-0x0000000000D32000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.1MB

                                                                                                              • memory/5060-133-0x0000000000A20000-0x0000000000D32000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.1MB