b3d040cc39261b93b268bf68d858f8f0c8e212993473fede977995d72d0a3545

Resubmissions

14/01/2023, 16:34

230114-t3lnkaed7t 3

14/01/2023, 16:31

230114-t1pbnsae48 6

Analysis

max time kernel
130s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UNBAN.dll
Size

567KB
MD5

a60e53faa9cf909222acfec2e193385f
SHA1

8c6f6c004a8ee10ad06f9f686dd463a9974dad04
SHA256

b3d040cc39261b93b268bf68d858f8f0c8e212993473fede977995d72d0a3545
SHA512

f2e4a7defae7fa0ca5a7a7a36b43b04c06e256b0c2c5721b782d6d3db34c3ce1b4e2b1fe25fb5d1ca63f6c39cecd2d51c52be21db5366d7f37c7966f577a8039
SSDEEP

12288:keYq5Of622ecraZ4vwvf8UxCj2AqeMQmOGnB3RU6jKTu:keYq0f12ecraPkuGKFOGnBLjKi

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4420	4972	WerFault.exe	79

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4516	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1680	chrome.exe
1680	chrome.exe
4148	chrome.exe
4148	chrome.exe
4372	chrome.exe
4372	chrome.exe
1664	chrome.exe
1664	chrome.exe
4920	chrome.exe
4920	chrome.exe
4992	chrome.exe
4992	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1232	unregmp2.exe
Token: SeCreatePagefilePrivilege	1232	unregmp2.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 1936	3968	wmplayer.exe	84
PID 3968 wrote to memory of 1936	3968	wmplayer.exe	84
PID 3968 wrote to memory of 1936	3968	wmplayer.exe	84
PID 3968 wrote to memory of 3604	3968	wmplayer.exe	85
PID 3968 wrote to memory of 3604	3968	wmplayer.exe	85
PID 3968 wrote to memory of 3604	3968	wmplayer.exe	85
PID 3604 wrote to memory of 1232	3604	unregmp2.exe	86
PID 3604 wrote to memory of 1232	3604	unregmp2.exe	86
PID 4148 wrote to memory of 4728	4148	chrome.exe	98
PID 4148 wrote to memory of 4728	4148	chrome.exe	98
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 4600	4148	chrome.exe	101
PID 4148 wrote to memory of 1680	4148	chrome.exe	102
PID 4148 wrote to memory of 1680	4148	chrome.exe	102
PID 1512 wrote to memory of 2568	1512	chrome.exe	104
PID 1512 wrote to memory of 2568	1512	chrome.exe	104
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105
PID 4148 wrote to memory of 2200	4148	chrome.exe	105

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\UNBAN.dll,#1
1⤵
PID:4972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4972 -s 328
  2⤵
  - Program crash
  PID:4420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 208 -p 4972 -ip 4972
1⤵
PID:4388

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:1936
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1232

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RemoveUnpublish.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ecd44f50,0x7ff8ecd44f60,0x7ff8ecd44f70
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,215130377205271941,12055845124798323468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ecd44f50,0x7ff8ecd44f60,0x7ff8ecd44f70
  2⤵
  PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
60cd6e50a74c45f9514c2ec70fe16a0d

SHA1
4d09cb4351688681c28912f89869703fc3a98c0a

SHA256
32fc80412bdafb44620e9694a7a9e1328c6067977021068d93061ee7753522d1

SHA512
cbab6f727cfedfeddd32fb9763479530530b79df262d09f319fecac9f89d9e08a5f38331f85f26930a35bf6e5bac01821b8edea4bd2b3abec5db55ff4468857e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
5e2ca3e0e43d8a3abee74e29c000968e

SHA1
f56f19febc341e0ffd2d3f0e5f3852974608497d

SHA256
1a84f484dc3690908eeff934dec3024ab417e481f36c2e9d35ece2730b9bbc1b

SHA512
f81bde3db2874960f4fbe311bcdc645576daa3db0c4346399df9156eb1b0977ab55c1b3fdbe96d959bc5fc3f830c628a64df695dbadbc97f9bcedccdddb17c91

Download Submit
C:\Users\Admin\Desktop\CloseRemove.jpe

Filesize
174KB

MD5
271133518cba0084be318d0f9740aedf

SHA1
d4e69f2937d30dc078912cf7e7a758b712ae7bfe

SHA256
ed900d83e38b8ac8bdcf5da31113ec49d2c8312caf1596cc51dcbc697a9db9b4

SHA512
d65b6b2b66907986b3c6e3edbe4d4ade8f65c49889f2ba21846babb89e179acd1082f8c27b17b9937e4c5d2aa7b883b48b2ee56929251709520526cd1ab56a9c

Download Submit
C:\Users\Admin\Desktop\CompressWait.svgz

Filesize
146KB

MD5
c37b77e0d0db8bfa5186ca5dd3f2ec92

SHA1
885a2de88fcc5161e441b293986d431aba255806

SHA256
2710f8c015320eebaaf50386dc3f53da888d208f9940db15d8ade28ec1ca1b5f

SHA512
dfd441e30c944b167dc1fe74eb8f7ef6e86067e48287bb7e3477cade3ab29bd62393de43af6c5c2e871c9cbc71f1dde3956dfe46a6bac06e9aad39dc750e1f57

Download Submit
C:\Users\Admin\Desktop\ConnectDismount.vsd

Filesize
299KB

MD5
aa5319ce1e8133fda1d064344b726fa0

SHA1
68cdae49b8fd3ec32ae16a37d2160229aafca63a

SHA256
4b0e4fc1eabf785e6c7ff8aa1377016549d76865efe458590fc08cdf6044130f

SHA512
fc50cd9c579e29369b0f6fadcc7e6aa51faaa82d3a7cb90eab050bc626f51a5949292fa088cea88b5e13868d5e224c78c1ca5bfc030b923ad660f7642571ec96

Download Submit
C:\Users\Admin\Desktop\ConvertFromRepair.mpv2

Filesize
410KB

MD5
5458cf1a64b45c38c85d364408d445f8

SHA1
2fe649dd790bd9ad0a75cf97e4e5e0d2df6bb9a3

SHA256
a97162000a88de391e0231bb18605fb09ce3dec22df8a81ac1f94f31ec5954d1

SHA512
d299f58857ae697123c233a3bd9050a378521394cc00eea9983a9733ef22620cdd12e37082988d3702b5f6aa05a376c95ed8da484c25a8156235244bf6bed568

Download Submit
C:\Users\Admin\Desktop\EditRestart.wm

Filesize
341KB

MD5
de46747c051a277b1a72c1bac74d4a5c

SHA1
1518f7b857cb8f4b65202396d04397d2145a37af

SHA256
227a63ce73235f03333a47af9bf5b73824c651cf5c0abf1d505e52e6905f7675

SHA512
b63c435c90452f0ef794d8b483579117f2b9c308972df889489efce215babeca83cc7f96280f08aecf94836a31b74b3677c2c639d00b189ba4aaf00ba969afc7

Download Submit
C:\Users\Admin\Desktop\GetFormat.htm

Filesize
243KB

MD5
c54f5fd71ee793ec1f2a63abe83cb787

SHA1
c3a720f2053bc49a26028fdcea3496cb74717c24

SHA256
6a28b9231a78188061ee5fea6d90d87f05e4cb77ed24721f84c9bd26b5a738c8

SHA512
e925d2a94eedc558acfd0add39e2fef208310e49bf1b5996dab76d98bdc523121aaaebe1c0b028c953a2dbd130eee988463b4e64d9af193c6527a841b623a3ed

Download Submit
C:\Users\Admin\Desktop\GroupPop.otf

Filesize
383KB

MD5
0a9f9ee39bd80974e0d326cba7c4099c

SHA1
24b3850170e95bf809cf153dd0e5f4882f0058a9

SHA256
88c6473841339fc4b845de897f080f600a1af8763f17058ab9e9c74b4ae8f96a

SHA512
e23ca379a1f66d959c144fd3d6d7d8ddd2e883e44861b8dee168399701ad6abfbc131d86c85a46e546fac76d0867732942480de841373d79b2ab6b5ed3432838

Download Submit
C:\Users\Admin\Desktop\ImportStep.pot

Filesize
397KB

MD5
c99a9ca42ded4d1ec780023635f56e52

SHA1
f1917661fd07616ffdc6e152a9586a3247209ea8

SHA256
0e536abbe8db2a2a904a453aff9f20ddbfa4ba07bc0cbbbe9228b89f2498bb54

SHA512
4a1cf8a1b7907151be5573250018f27f8fef26df64369320d43d84bd0eb60993fb47390af91c9f08ff0927507f015d366f9753443946375f78e63f732d5c3373

Download Submit
C:\Users\Admin\Desktop\InitializeWatch.mp4v

Filesize
369KB

MD5
635dcd075e86da305d5a586d9f41afc1

SHA1
64fdfb58756738e88726938eba53a11db86c5c0a

SHA256
70af2bc569f01646b4e0faece40b4230f17b5371e71f8675a83ab42fbf57ffad

SHA512
58ae5ab6a73267d607733f78c0243b65743a80b46ecef9b2c2c9cfe0a1cc8535b32426c779c9d68cefad7cb399b0327aa06ceb745c8445baf89627dbdbe61479

Download Submit
C:\Users\Admin\Desktop\InstallUnprotect.jpg

Filesize
160KB

MD5
992514bb54f4448d077371694f01b466

SHA1
fc61280470b08fab0f15a17ff43bf9a73c10e20a

SHA256
57efb1520087710ad4684219ea33cde13c00efb2615e0ecea417af37ca0bbcc7

SHA512
81de0c4d1c44f0e31ad2e634a1fb051d007e7fb4eb448a17cfe81e9c3093764856e0cf55f9062d70063440d429548da0e53746a095cea9317b4670005118be8f

Download Submit
C:\Users\Admin\Desktop\OpenDeny.vsd

Filesize
327KB

MD5
ec7a57ab5d225bcee2626c598062034c

SHA1
41ef85f42c8f0a5204ee8d652cc8b643160f9924

SHA256
0bdc9c6d6809188e2404664906aa056f840a6f9953e535aff1972270c2668843

SHA512
ecdb84449289e221422a2fafea98d6809247d310aa20fe78f19ba891a288136315d4c6fb70db53ad7157a50ab9802759169080cefe6990f5b053a41d81674a30

Download Submit
C:\Users\Admin\Desktop\OptimizeRegister.ini

Filesize
257KB

MD5
c861ba707fee1b277caf597202b90aff

SHA1
a490180d74c8b9897534954ae43a7a8b6478ca74

SHA256
91c8391f44c03bf89b4d9c71b555a5aa41a917784013ecad37f5b18dae210f1a

SHA512
591c356fddd69177092118a5e548e9b6e5c1498d69fc5d4658c0a4c55517ee328be04bf93bf6d948f8211be1a692b4f32f6bc158553be683118117bec1f9ea82

Download Submit
C:\Users\Admin\Desktop\RemoveUnpublish.txt

Filesize
188KB

MD5
2f96e52e6c07c2a9ef93d14d341f238e

SHA1
be57f588c3c8eb7088dd7b87a51df6f1dd86e49c

SHA256
8c039364c545b0ca62692f3f121883ab1d9b7ab141c09175cabea24110aba61d

SHA512
4ab78b797c284a9b97f639d81792fbbe226922a5a8c0ad78a9983699d7d8be9984526029f37e612fb89312863822c6359b95b2974d28344420f704da584a8625

Download Submit
C:\Users\Admin\Desktop\ResetResume.vdw

Filesize
571KB

MD5
910c357ebc02ac02a6d2c3893368a120

SHA1
aed18f162b085e7c0b7257c9fe19979e8e24a175

SHA256
5a57eb6f6a0fc5f976991c9ad60cc59b0eda16aba4d01011e91a40c7d44fe186

SHA512
1f4b8c914645f9b3e8cc63ebe2147dcaf234506728613ea0ef3e1fe42399bd5a7c422d7a6548d157b5d1fe13d3cd3e9cc0adb05f25842f0209f0e707056bbd11

Download Submit
C:\Users\Admin\Desktop\RestartRename.rar

Filesize
229KB

MD5
fceec1ec910fa5597e4194bf450e02cc

SHA1
2317125252d01d874ca57ae327191bd9e9b2eeb2

SHA256
e3a46c67200e180b7227654fbc6b7dfedb8a46ee44451aecaee64af63acce3b7

SHA512
f8bc0edf17c6a92d033d9c87a7e7e66bd554778e65fdc02b8a70e80788c09e37eee39b9bb5e8cbea2588ea032dc748908840a894a73a2c070d26dce46bb90a16

Download Submit
C:\Users\Admin\Desktop\SelectGrant.vsw

Filesize
202KB

MD5
4851fc1d0e491f2422415fd0d1bd1c74

SHA1
9d72ab52d81f67ad23768bd5a36d29946cb3dc35

SHA256
3fe0e6cac077837d6dec0ff78551f678f4498f97b1de4fd43ffbeabd5044e75d

SHA512
03f37d5185d3c00a03a1f7f553b5b4c4144288871ad96f6718745fd6eb4bce7df7956a3e8017d8c450f4cb69360e26173c1e4c431466f5c433a55b55b549d3e3

Download Submit
C:\Users\Admin\Desktop\SubmitDebug.tif

Filesize
355KB

MD5
cced695613f4fa176f2c24e2d9b09292

SHA1
51ae9fb707bbfb1fbd122d7b4f65161b5973929d

SHA256
1f1b2143dab39519977fdf9b0c82462369c0f9c1c9c7a398f591e899efd10c54

SHA512
4718d1d6decadc6c49fa9e90927f68dc48136dee23c4b012d1c8ec60c1e1ad57ae0b5d0cc24916efeed4ff037125d34db1dc79b08628e88de1d92bf4aba7aa17

Download Submit
C:\Users\Admin\Desktop\UnblockSelect.wpl

Filesize
215KB

MD5
4a6d5f6d79750a9a54edd3f14e0bfe8b

SHA1
c8cb47b5202d84f22c5218837f2878f28b84c8f7

SHA256
c4cb39f2618053909987861079dfaeef3346ddad54edbfbff255b5110b9e43f4

SHA512
044d604816f935b293a3d6e704376215adad5b62f83f728e35a68ca8b66a2896b9277a4d920a437452bd1dc8c0eac2c1f546dda1b7ef5c37b8617f5627142921

Download Submit
C:\Users\Admin\Desktop\UndoRegister.ocx

Filesize
271KB

MD5
ad2cc8696aedd52f6550e742f982de5e

SHA1
e64867ddf87c5cbc87278b59dd9b8a1207036593

SHA256
897164af4a35ba582dda8405f412601fa61c116158c8c100142dd2eef18bf63e

SHA512
0531bd2c141382bd014e544c25f56a7855ca3ff0710645001c86e74fee6a3d3c88413c022d88bfb510f98869c983759f7d12a2bbe207c66df410a270f3ff6e66

Download Submit
C:\Users\Admin\Desktop\UnprotectUnblock.wmv

Filesize
285KB

MD5
c99c31520a3b90cec68d9e0d466263c0

SHA1
9b77ec20d6a55aeb7e3e4f1ab3ce110ab93c1977

SHA256
b7e7f857de1b3e78b770fb948a56bab3ebfce60f9eea5ccd63ab8764993fe514

SHA512
49fb76dcbec0eed9e145569f06412b854b428e3d18d8ffdc9e5c52ac4e55f82898ebe2249f5b81b8c5c906be32ec93902eafdc68e3162f52758b9cdfedd855b6

Download Submit
C:\Users\Admin\Desktop\UseRequest.aif

Filesize
313KB

MD5
3a37a96281a11b1788eb2cb888ece2f7

SHA1
83449837e0de7295af22b6ba3426084cf9576f7d

SHA256
9ffb15a3b815f87d9f0d68b4a050c7dccb22b3328956096c25735a5b33c5eb36

SHA512
88b36b0e0f46e9152716c92a9ffca36a85f13bae484e883d9450d88fed1ef99a93a9a3c09bba7b21b797a2bb57e0ea6c6c70eb7a930aa59d24ec42cdf6af382c

Download Submit